What can be achieved with a leaked Postman API key?

I found a leaked Postman API key for a Bugcrowd program. Is this a serious issue? What can be achieved?

1 Like

A fair bit.

Get all collections:

curl --location --request GET https://api.getpostman.com/collections
–header 'X-Api-Key: [api key]

(You can also add/update/delete)

Get all environments
curl --location --request GET ‘https://api.getpostman.com/environments
–header 'X-Api-Key: ’
(Add, update an delete as well)

Get the owner:
curl --location --request GET ‘https://api.getpostman.com/me
–header 'X-Api-Key: ’

Get all the things (api)

curl --location --request GET ‘{{url}}/apis?workspace={{workspaceId}}’
–header ‘x-api-key: {{apiKey}}’
–header ‘Content-Type: application/json’

You can also just delete everything…

Take a gander here: