Skip to content

Auth0 API Keys

Service Name: Auth0

Service Description: Auth0 is an identity management platform that provides authentication, authorization, and user management services for web, mobile, and legacy applications. It offers features like single sign-on, multi-factor authentication, social login, and enterprise connections.

Service Address: https://auth0.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the tenant level through Auth0 Dashboard under Security > Allowed IPs.

Secret Access Scope: Auth0 API keys grant access to the Auth0 Management API, allowing management of users, clients, connections, rules, and other Auth0 resources.

Secret Revokement URL: https://manage.auth0.com/#/apis

Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL215LWF1dGgwLWRvb WFpbi5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8MTIzNDU2Nzg5MCIsImF1ZCI6ImFiY2RlZmdo aWprbG1ub3BxcnN0dXZ3eHl6MTIzNCIsImlhdCI6MTUxNjIzOTAyMn0.signature

Suspicious Activity Investigation Instructions:

  • Review Auth0 logs for unusual login attempts or API calls in the Auth0 Dashboard.
  • Check for unexpected changes to user accounts, applications, or connections.
  • Monitor for unusual geographic access patterns or access from unfamiliar IP addresses.
  • Review API usage metrics for abnormal spikes in activity.
  • Check for unauthorized creation of new applications or API clients.

Mitigation Instructions:

  • Rotate the compromised API key immediately in the Auth0 Dashboard.
  • Navigate to Applications > APIs in the Auth0 Dashboard.
  • Select the affected API and generate a new secret.
  • Update all legitimate applications with the new API key.
  • Review and update IP allowlists to restrict API access to trusted IPs only.
  • Enable additional security features like MFA for dashboard access.
  • Audit all recent changes made using the compromised key and revert any unauthorized changes.
  • Consider implementing more granular permissions using scoped API tokens instead of master keys.