Skip to content

OneSignal App Secret

Service Name: OneSignal

Service Description: OneSignal is a push notification service that enables businesses to send notifications across various platforms including mobile apps, web browsers, and email. It provides tools for customer engagement, retention, and communication.

Service Address: https://onesignal.com/

Validation Type: API Auth

IP Allow list: Does not exist at the secret level, but IP restrictions can be configured at the account level through OneSignal's dashboard.

Secret Access Scope: Grants programmatic access to the OneSignal API, allowing management of push notifications, segments, users, and analytics for a specific OneSignal app.

Secret Revokement URL: https://dashboard.onesignal.com/apps/[YOUR_APP_ID]/settings/keys_and_ids

Secret Example: MDFhYmMyZDMtNGVmNS00Njc4LTlkYWItMjNiNGZjZDU2YmVj

Suspicious Activity Investigation Instructions:

  • Review the OneSignal dashboard for unusual notification activity or unexpected message sends
  • Check delivery reports for notifications you don't recognize
  • Monitor API usage logs for unauthorized endpoints or excessive requests
  • Verify if there are any new segments or users created without authorization
  • Examine notification content for potential malicious messages or phishing attempts

Mitigation Instructions:

  • Log in to your OneSignal dashboard at https://dashboard.onesignal.com/
  • Navigate to Settings > Keys & IDs for the affected app
  • Click "Reset" next to the REST API Key to invalidate the compromised key
  • Generate a new API key
  • Update all legitimate applications and services with the new API key
  • Review and update API access permissions if needed
  • Enable additional security features like two-factor authentication for your

OneSignal account

  • Audit your notification history to identify any unauthorized messages sent

during the compromise