Skip to content

Heroku API Key

Service Name: Heroku

Service Description: Heroku is a platform as a service (PaaS) that enables developers to build, run, and operate applications entirely in the cloud. It supports several programming languages and is owned by Salesforce.

Service Address: https://www.heroku.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be implemented at the application level using Heroku Shield or through add-ons like Quotaguard Static IP.

Secret Access Scope: Grants programmatic access to manage Heroku applications, add-ons, and resources. Can be used to deploy code, scale dynos, manage databases, and access all resources associated with the account.

Secret Revokement URL: https://dashboard.heroku.com/account/applications

Secret Example: 4a1d8c83-0eef-498e-8cdc-1234567890ab

Suspicious Activity Investigation Instructions:

  • Review Heroku dashboard for unauthorized application deployments or modifications
  • Check for unexpected changes in dyno configurations or scaling
  • Monitor for unauthorized add-on installations or modifications
  • Review application logs for suspicious activities
  • Check for unexpected collaborators added to your applications
  • Review billing information for unexpected charges

Mitigation Instructions:

  • Log in to your Heroku account at https://dashboard.heroku.com/

  • Navigate to Account Settings → Applications

  • Find the compromised API key in the "Authorized Applications" section
  • Click "Revoke" next to the API key
  • Generate a new API key if needed
  • Update the API key in all legitimate applications and CI/CD pipelines
  • Review and update access controls for your Heroku account
  • Enable two-factor authentication if not already enabled
  • Consider implementing IP restrictions for your Heroku applications if available