Skip to content

Dropbox Sign API Key

Service Name: Dropbox Sign (formerly HelloSign)

Service Description: Dropbox Sign is an eSignature platform that allows businesses to send, receive, and manage legally binding electronic signatures and documents securely.

Service Address: https://www.hellosign.com/ (now part of Dropbox)

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level through Dropbox Sign's security settings.

Secret Access Scope: Grants programmatic access to the Dropbox Sign API, allowing management of electronic signature requests, templates, and documents.

Secret Revokement URL: https://app.hellosign.com/account/api

Secret Example: 3a054b8b9b9c2b7699448f8f8b8d8c8d8e8f8g8h

Suspicious Activity Investigation Instructions:

  • Review the API usage logs in your Dropbox Sign account dashboard.
  • Check for unauthorized signature requests or template access.
  • Monitor for unusual document uploads or signature requests.
  • Verify if there are any unexpected changes to templates or account settings.
  • Review the IP addresses that have been accessing your account.

Mitigation Instructions:

  • Log in to your Dropbox Sign account at https://app.hellosign.com/
  • Navigate to Account Settings > API section.
  • Locate the compromised API key.
  • Select Revoke next to the API key to immediately invalidate it.
  • Generate a new API key if needed for legitimate applications.
  • Update any legitimate applications with the new API key.
  • Review and update security settings, including enabling two-factor authentication.
  • Consider implementing IP restrictions for API access if available.