Skip to content

Directus Admin Key

Service Name: Directus

Service Description: Directus is an open-source headless CMS (Content Management System) that provides a real-time API and intuitive admin app for managing database content. It allows developers to build custom solutions while providing non-technical users with a friendly interface for content management.

Service Address: https://directus.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the server level through environment variables or custom middleware.

Secret Access Scope: Grants full administrative access to the Directus instance, including all collections, files, users, and system settings.

Secret Revokement URL: https://docs.directus.io/self-hosted/config-options.html#security

Secret Example: directus_admin_1a2b3c4d5e6f7g8h9i0j

Suspicious Activity Investigation Instructions:

  • Review the activity logs in the Directus admin panel for unauthorized access or suspicious operations.
  • Check for unexpected changes to collections, fields, or user permissions.
  • Monitor for unusual API requests or data exports in server logs.
  • Verify if any new admin users have been created without authorization.
  • Examine file uploads for potentially malicious content.

Mitigation Instructions:

  • Immediately generate a new admin key by updating the ADMIN_API_KEY environment variable in your Directus configuration.

  • Restart the Directus service to apply the new key.

  • Update any legitimate applications or services that use the admin key with the new value.
  • Consider implementing IP restrictions for admin access through environment variables.
  • Review and potentially revoke access for any suspicious user accounts.
  • Enable two-factor authentication for all admin users if not already enabled.
  • Consider implementing a token rotation policy for regular key changes.