Dropbox Sign API Key
Service Name: Dropbox Sign (formerly HelloSign)
Service Description: Dropbox Sign is an eSignature platform that allows businesses to send, receive, and manage legally binding electronic signatures and documents securely.
Service Address: https://www.hellosign.com/ (now part of Dropbox)
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the account level through Dropbox Sign's security settings.
Secret Access Scope: Grants programmatic access to the Dropbox Sign API, allowing management of electronic signature requests, templates, and documents.
Secret Revokement URL: https://app.hellosign.com/account/api
Secret Example: 3a054b8b9b9c2b7699448f8f8b8d8c8d8e8f8g8h
Suspicious Activity Investigation Instructions:
- Review the API usage logs in your Dropbox Sign account dashboard.
- Check for unauthorized signature requests or template access.
- Monitor for unusual document uploads or signature requests.
- Verify if there are any unexpected changes to templates or account settings.
- Review the IP addresses that have been accessing your account.
Mitigation Instructions:
- Log in to your Dropbox Sign account at https://app.hellosign.com/
- Navigate to Account Settings > API section.
- Locate the compromised API key.
- Select Revoke next to the API key to immediately invalidate it.
- Generate a new API key if needed for legitimate applications.
- Update any legitimate applications with the new API key.
- Review and update security settings, including enabling two-factor authentication.
- Consider implementing IP restrictions for API access if available.