Skip to content

FullStory API Key

Service Name: FullStory

Service Description: FullStory is a digital experience analytics platform that helps businesses understand, measure, and improve the digital experience they provide to their users. It offers session replay, heatmaps, conversion funnels, and user behavior analytics.

Service Address: https://www.fullstory.com/

Validation Type: API Auth

IP Allow list: Does not exist

Secret Access Scope: Grants programmatic access to FullStory's API, allowing retrieval of session data, user information, and analytics. Can be used to manage recordings, export data, and integrate with other systems.

Secret Revokement URL: https://help.fullstory.com/hc/en-us/articles/360020624854-Managing-API-Keys

Secret Example: fs_org_1234567890abcdef1234567890abcdef_1234567890abcdef1234567890abcdef

Suspicious Activity Investigation Instructions:

  • Check the FullStory audit logs for unusual API access patterns or data exports
  • Review the IP addresses that have been using the API key
  • Monitor for unexpected data exports or bulk downloads
  • Check for unauthorized integrations with third-party services
  • Verify if the API key has been used from unusual geographic locations

Mitigation Instructions:

  • Log in to your FullStory account as an administrator

  • Navigate to Settings > Security > API Keys

  • Locate the compromised API key
  • Click "Revoke" to immediately invalidate the key
  • Create a new API key if needed for legitimate services
  • Update any authorized applications or services with the new key
  • Review and update access controls for your FullStory account
  • Consider implementing IP restrictions at the application level if possible
  • Verify the validity of the API key by making a request to

https://developer.fullstory.com/server/v1/authentication/me/