Skip to content

Keeper Connection Token

Service Name: Keeper Security

Service Description: Keeper Security is a zero-knowledge cybersecurity platform that provides password management, secrets management, secure file storage, and encrypted messaging solutions for businesses and individuals.

Service Address: https://keepersecurity.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the enterprise level through Keeper's Admin Console.

Secret Access Scope: Grants programmatic access to Keeper's Enterprise API, allowing applications to interact with the Keeper vault system, manage records, folders, and teams.

Secret Revokement URL: https://docs.keeper.io/enterprise-guide/commander-cli#token-revoke

Secret Example: US:XXkkvvttpp8899aayymmUU:Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=

Suspicious Activity Investigation Instructions:

  • Review Keeper's audit logs for unusual access patterns or unauthorized record access.
  • Check for unexpected API calls or operations performed using the connection token.
  • Monitor for unauthorized sharing of records or changes to sharing permissions.
  • Verify if the token has been used from unusual geographic locations or IP addresses.
  • Review any changes to vault structure, record creation, or deletion that occurred during the suspected compromise period.

Mitigation Instructions:

  • Immediately revoke the compromised token using Keeper Commander CLI with the command: keeper token revoke <token_id>.
  • Generate a new connection token if needed for legitimate applications.
  • Review and update access controls for the affected Keeper account.
  • Enable two-factor authentication if not already in place.
  • Consider implementing IP restrictions for API access through the Keeper Admin Console.
  • Review all vault activity during the suspected compromise period and revert any unauthorized changes.
  • Update any credentials that may have been exposed through the compromised token.