Skip to content

AppVeyor API Token

Service Name: AppVeyor

Service Description: AppVeyor is a continuous integration and deployment service for Windows and Linux that automates building, testing, and deployment of applications.

Service Address: https://www.appveyor.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level in AppVeyor settings.

Secret Access Scope: Grants programmatic access to AppVeyor API, allowing management of projects, builds, deployments, and account settings.

Secret Revokement URL: https://ci.appveyor.com/account/api

Secret Example: oy2k5uf9fwz7pa3gvqwm

Suspicious Activity Investigation Instructions:

  • Review AppVeyor build history for unauthorized or unusual builds.
  • Check project settings for unexpected changes or modifications.
  • Monitor deployment targets for unauthorized deployments.
  • Review API access logs for unusual API calls or access patterns.
  • Check for unauthorized project creation or modification.

Mitigation Instructions:

  • Log in to your AppVeyor account at https://ci.appveyor.com/
  • Navigate to "My Account" > "API Keys"
  • Revoke the compromised API token by clicking the "Revoke" button next to it

  • Generate a new API token if needed

  • Review project settings and secure environment variables
  • Enable two-factor authentication for your AppVeyor account
  • Consider implementing IP restrictions for API access in account settings
  • Review and update access permissions for all team members