Skip to content

Heap API Key

Service Name: Heap Analytics

Service Description: Heap is a digital insights platform that automatically captures web and mobile app user interactions, allowing businesses to analyze user behavior without manual tracking code. It provides analytics, session replay, and user journey insights.

Service Address: https://heap.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level through Heap's security settings.

Secret Access Scope: Grants programmatic access to Heap's analytics data, user events, and account management functions. Can be used to query data, manage users, and configure tracking settings.

Secret Revokement URL: https://help.heap.io/getting-started-with-heap/data-management/manage-api-keys/

Secret Example: 96d23a8f7e9c1b5d4e6f7a8b9c0d1e2f

Suspicious Activity Investigation Instructions:

  • Review Heap audit logs for unusual API calls or data access patterns
  • Check for unexpected data exports or queries from unfamiliar IP addresses
  • Monitor for changes to tracking configurations or event definitions
  • Look for unusual volume of API requests that could indicate scraping
  • Verify if any new users or permissions were added to your Heap account

Mitigation Instructions:

  • Log into your Heap dashboard and navigate to Settings > API Keys

  • Identify the compromised API key and click "Revoke"

  • Generate a new API key if needed
  • Update the key in all legitimate applications that require Heap access
  • Review and adjust API key permissions to follow the principle of least privilege
  • Consider implementing IP restrictions for API access if not already in place
  • Review account users and remove any unauthorized access
  • Enable two-factor authentication for all users with Heap access