GraphCMS API Token
Service Name: GraphCMS (now Hygraph)
Service Description: GraphCMS (rebranded as Hygraph) is a headless content management system that provides a GraphQL API for content delivery and management. It allows developers to build and deliver content-rich applications with a flexible content infrastructure.
Service Address: https://hygraph.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the project level in the Hygraph dashboard under API Access settings.
Secret Access Scope: Grants programmatic access to content management and delivery APIs, allowing operations like querying, creating, updating, and deleting content based on the token's permission level.
Secret Revokement URL: https://hygraph.com/docs/api-reference/basics/authentication#permanent-auth-tokens
Secret Example: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImdjbXMtbWFpbi1wcm9kdWN0aW9uIn0.eyJ2ZXJzaW9uIjozLCJpYXQiOjE2MjM2ODYyMjIsImF1ZCI6WyJodHRwczovL2FwaS1ldS1jZW50cmFsLTEuZ3JhcGhjbXMuY29tL3YyL2NrbzN0bDh5cDA1dnAwMXhvNXpqMGVoaTUvbWFzdGVyIl0sImlzcyI6Imh0dHBzOi8vbWFuYWdlbWVudC5ncmFwaGNtcy5jb20vIiwic3ViIjoiODQyMTFmZjYtMzgwNi00N2EzLWEwOGUtYzM3NWM5MGVlMmZjIiwianRpIjoiY2tvM3RwZ3FwMDY0ZTAxeG85c2g4Z2JtMyJ9.example
Suspicious Activity Investigation Instructions:
- Review the project audit logs in the Hygraph dashboard for unusual API calls or content modifications.
- Check for unexpected content changes or deletions in your Hygraph projects.
- Monitor for unusual access patterns or API requests from unfamiliar IP addresses.
- Review webhook configurations for any unauthorized changes.
- Check for unexpected schema changes or model modifications.
Mitigation Instructions:
- Log in to your Hygraph account and navigate to the project settings.
- Go to the API Access section and locate the compromised token.
- Click on the "Revoke" button next to the token to immediately invalidate it.
- Create a new token with appropriate permissions to replace the compromised one.
- Update all applications and services using the old token with the new one.
- Consider implementing more restrictive permissions for the new token.
- Enable IP allowlisting for API access if not already configured.
- Review and update your security practices for storing and handling API tokens.