Sentry.io secret key exploitation

I found a leaked Sentry.io URL containing HTTP basic auth credentials. Both credentials look like random hashes.

https://4c9184f37cff01bcdc32dc486ec36961:5ebe2294ecd0e0f08eab7690d2a6ee69@sentry.io/164231 (not actually the URL)

After some research, it looks like they are Sentry.io public and secret keys.

According to the documentation, the secret key is used for session signing and it must be kept a secret. However, I’m unable to find any documentation about how the key is actually used. Does anyone know how to exploit the leaked key?

According to their docs, the keys are used for legacy auth. Read the auth docs here.

Hmm, I think you are talking about API keys. These are not API keys, they’re project keys (one public, one secret).

Did you try to make a GET request to https://4c9184f37cff01bcdc32dc486ec36961:5ebe2294ecd0e0f08eab7690d2a6ee69@sentry.io/ to see what you get?
Searching in the documentation I found this instance where they mention the secret https://docs.sentry.io/development/sdk-dev/overview/#usage-for-end-users.
And I just read the following here https://docs.sentry.io/development/sdk-dev/overview/#authentication

This key is effectively deprecated but for the time being should still be emitted by SDKs as some older Sentry versions required it in most situations. The secret key will be phased out entirely in future versions of Sentry.

So, it seems that it is not an issue to disclose that key. Anyway, you may want to google about it because I think there is/was a similar issue related to having access to source maps, but it wasn’t exactly the same issue as yours.