Skip to content

Monday.com API Token

Service Name: Monday.com

Service Description: Monday.com is a cloud-based work operating system that enables teams to manage projects, workflows, and tasks in a visual, collaborative environment. It provides customizable templates for various use cases including project management, sales CRM, marketing, and software development.

Service Address: https://monday.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level for Enterprise plans.

Secret Access Scope: Grants programmatic access to Monday.com resources including boards, items, updates, and users based on the token's permissions. Access can be read-only or read-write depending on the token configuration.

Secret Revokement URL: https://monday.com/developers/v2/docs/authentication#revoking-an-api-v2-token

Secret Example: eyJhbGciOiJIUzI1NiJ9.eyJ0aWQiOjE4MzM4MzI5LCJ1aWQiOjM5MzQ1NjgsImlhZCI6IjIwM jMtMDctMDVUMTI6MzQ6MDAuMDAwWiIsInBlciI6Im1lOndyaXRlIn0.7vPm9nK5jXYB6zQklAOO o4hNcT_dNQIZHAYPH9-1XZk

Suspicious Activity Investigation Instructions:

  • Review the Monday.com audit logs for unusual API calls or access patterns.
  • Check for unauthorized board or item creation, modification, or deletion.
  • Monitor for unexpected changes to user permissions or workspace settings.
  • Look for API calls from unusual geographic locations or outside business hours.
  • Verify if there are any integrations or automations created without authorization.

Mitigation Instructions:

  • Log in to your Monday.com account as an administrator.
  • Navigate to Admin > API > Manage API Tokens.
  • Locate the compromised token and click "Revoke" to immediately invalidate it.
  • Create a new token with appropriate permissions if needed.
  • Review and adjust permissions for the new token to follow the principle of least privilege.
  • Consider enabling IP restrictions for API access if on an Enterprise plan.
  • Review all integrations and automations to ensure they're authorized.
  • Update your security policies to include regular rotation of API tokens.