API Key Leaked: What To Do Immediately (Step-by-Step)
Exact steps to take when an API key is exposed: rotation, containment, customer communication, and prevention.
If an API key is leaked, speed matters more than perfection.
Step 1 — Identify the key
- Find the customer/project
- Check last usage time
- List IPs and endpoints
Step 2 — Rotate immediately
- Generate new key
- Revoke old key (or set short expiry)
- Invalidate cached credentials
Step 3 — Contain damage
- Temporary rate limits
- Restrict sensitive endpoints
- Block obvious attacker IPs
Step 4 — Notify the customer
Provide:
- Timeline
- Estimated usage
- Suspected source
- Next steps
Step 5 — Find the leak source
- Public GitHub search
- CI logs
- Frontend bundles
- Support tickets
- Slack exports
Common leak sources
- Frontend JavaScript
- Mobile apps
- Public repos
- Docker images
- Shared demos
How to prevent the next leak
- Server-side keys only
- Per-user keys
- Short-lived tokens
- Key scopes
- Automated leak detection
Detection signals to add
- One key, many IPs
- Traffic spikes
- New countries
- High error rates
Most API incidents start with a leaked key. Treat rotation as a routine operation, not an emergency ritual.
FAQ
Should I block all traffic immediately?
Rotate first. Full blocking can break legitimate customers.
Is IP allowlisting enough?
Only for server-to-server use cases.