Skip to content

CARTO API Access Token

Service Name: CARTO

Service Description: CARTO is a cloud-based location intelligence and data visualization platform that enables organizations to analyze and visualize spatial data for business intelligence, urban planning, and other geospatial applications.

Service Address: https://carto.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the organization level through CARTO's security settings.

Secret Access Scope: Grants programmatic access to CARTO's APIs, allowing users to create, read, update, and delete datasets, maps, and visualizations within their CARTO account.

Secret Revokement URL: https://carto.com/developers/auth-api/guides/revoking-access-tokens/

Secret Example: carto_pk.eyJ1IjoiY2FydG8iLCJhIjoiY2s5b2txM2EzMDVvMzNsbzFjM3MyYnM4aCJ9.7XA0Vl1F2FCN6GGqLcZ9WQ

Suspicious Activity Investigation Instructions:

  • Review the CARTO dashboard for unauthorized datasets or visualizations.
  • Check API usage logs for unusual patterns or high-volume requests.
  • Monitor for unexpected changes to maps, datasets, or account settings.
  • Review IP addresses that have accessed the account for unfamiliar locations.
  • Check for unauthorized API calls or data exports.

Mitigation Instructions:

  • Log in to your CARTO account and navigate to the API Keys section.
  • Identify the compromised API token and revoke it immediately.
  • Create a new API token with appropriate permissions.
  • Update all applications and services to use the new token.
  • Review and adjust the scope of permissions for API tokens to follow the Principle of Least Privilege.
  • Consider implementing IP restrictions for API access if available in your plan.
  • Enable notifications for suspicious account activities.
  • Review all account users and remove any unauthorized access.