Skip to content

Flotiq API Token

Service Name: Flotiq

Service Description: Flotiq is a headless Content Management System (CMS) that provides API-first content management capabilities. It allows developers to create, manage, and deliver content through RESTful APIs, making it suitable for websites, mobile apps, and other digital platforms.

Service Address: https://flotiq.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level through Flotiq's security settings.

Secret Access Scope: Grants programmatic access to content types, media, and other resources within a Flotiq workspace. The token can have read-only or read-write permissions depending on how it was configured.

Secret Revokement URL: https://flotiq.com/docs/API/

Secret Example: fp_api_key_12345abcdef67890ghijklmnopqrstuvwxyz1234

Suspicious Activity Investigation Instructions:

  • Review API logs in the Flotiq dashboard for unusual access patterns or operations.
  • Check for unexpected content modifications or deletions in your content types.
  • Monitor for unusual API call volumes or requests from unexpected geographic locations.
  • Examine the timestamps of API calls to identify potential unauthorized access during off-hours.
  • Verify if there are any new content types or media files that were not created by authorized users.

Mitigation Instructions:

  • Log in to your Flotiq account dashboard.
  • Navigate to the API keys section in your account settings.
  • Identify the compromised API key and delete it immediately.
  • Create a new API key with appropriate permissions to replace the compromised one.
  • Update all applications and services that were using the old API key with the new one.
  • Consider implementing more restrictive permissions for API keys, limiting them to only the necessary content types and operations.
  • Enable additional security features like IP restrictions if available in your Flotiq plan.
  • Review your application code to ensure API keys are not exposed in client-side code or public repositories.