Skip to content

Hotjar API Key

Service Name: Hotjar

Service Description: Hotjar is a behavior analytics and user feedback service that helps website owners understand how visitors interact with their sites through heatmaps, session recordings, surveys, and feedback tools.

Service Address: https://www.hotjar.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the organization level but not directly at the API key level.

Secret Access Scope: Grants programmatic access to Hotjar's API, allowing retrieval of analytics data, management of heatmaps, recordings, surveys, and other Hotjar features.

Secret Revokement URL: https://help.hotjar.com/hc/en-us/articles/115011799307-API-Keys

Secret Example: hjXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Suspicious Activity Investigation Instructions:

  • Review Hotjar account activity logs for unusual data access patterns.
  • Check for unexpected API calls or data exports.
  • Monitor for unauthorized changes to tracking settings or survey configurations.
  • Review user management section to identify any unauthorized users added to the account.
  • Check if there are any unexpected integrations set up with third-party services.

Mitigation Instructions:

  • Log in to your Hotjar account and navigate to the Account Settings.

  • Go to the API section.

  • Locate the compromised API key and click "Revoke" or "Delete".
  • Generate a new API key if needed.
  • Update the API key in all legitimate applications and services.
  • Review and update access permissions for all team members.
  • Enable two-factor authentication for all users with access to Hotjar.