API Key Exposure

API keys or secrets are exposed in client-side code, public repositories, URLs, or response bodies, allowing unauthorized access to API services.

An attacker could use exposed API keys to access protected services, consume API quotas, exfiltrate data, or incur financial charges on the victim's account.

Store API keys in environment variables or secure vaults, never in code. Implement key rotation policies. Use short-lived tokens instead of long-lived keys. Monitor for key exposure using automated scanning tools. Restrict key permissions to minimum required scope.