Skip to content

Keywhiz API Key

Service Name: Keywhiz

Service Description: Keywhiz is a system for managing and distributing secrets like API keys, certificates, and passwords. It was developed by Square to help manage secrets across their infrastructure securely. Keywhiz provides a centralized system for storing, accessing, and distributing secrets to authorized services and applications.

Service Address: https://square.github.io/keywhiz/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the Keywhiz server level through access controls.

Secret Access Scope: Grants programmatic access to the Keywhiz API for managing secrets, including creating, retrieving, updating, and deleting secrets stored in the Keywhiz server.

Secret Revokement URL: https://square.github.io/keywhiz/apidocs/ (Specific revocation would be done through the Keywhiz admin interface)

Secret Example: kw_api_3a7c4f8b2e1d9a0e5f6b7c8d9e0f1a2b3c4d5e6f

Suspicious Activity Investigation Instructions:

  • Review Keywhiz server logs for unusual API calls or access patterns
  • Check for unauthorized secret access or modifications
  • Monitor for unusual volume of secret retrievals
  • Verify client authentication attempts and failures
  • Examine audit logs for access from unexpected IP addresses or outside normal hours

Mitigation Instructions:

  • Immediately rotate the compromised API key through the Keywhiz admin

interface

  • Revoke the compromised API key and generate a new one
  • Update all authorized applications with the new API key
  • Review and update access control policies for the affected secrets
  • Audit all secrets that may have been accessed using the compromised key
  • Consider implementing more restrictive IP-based access controls
  • Enable enhanced logging and monitoring for the new API key