Skip to content

OneSignal REST API Key

Service Name: OneSignal

Service Description: OneSignal is a push notification service that provides cross-platform delivery of notifications to mobile apps, web browsers, and other devices. It enables businesses and developers to send targeted messages to users across multiple platforms.

Service Address: https://onesignal.com/

Validation Type: API Auth

IP Allow list: Does not exist at the secret level, but IP restrictions can be configured at the account level through OneSignal's dashboard security settings.

Secret Access Scope: Grants programmatic access to OneSignal's REST API, allowing management of push notifications, segments, users, and app settings.

Secret Revokement URL: https://dashboard.onesignal.com/apps/[YOUR_APP_ID]/settings/keys_and_ids

Secret Example: YzFkMDRlNzItYTM0Zi00ZWRlLTg1YTUtZDJmMjQ4ZjI3YWNm

Suspicious Activity Investigation Instructions:

  • Review the OneSignal dashboard for unusual notification activity or unexpected message sends.
  • Check notification delivery reports for unauthorized campaigns.
  • Monitor API usage logs for unusual patterns or high volumes of requests.
  • Verify if there are any new devices or browsers registered to receive notifications.
  • Check for changes in notification segments or audience targeting.

Mitigation Instructions:

  • Log in to your OneSignal dashboard at https://dashboard.onesignal.com/.
  • Go to Settings > Keys & IDs for your application.
  • Click on Reset next to the REST API Key to invalidate the current key.
  • Generate a new REST API Key.
  • Update the API key in all legitimate applications and services.
  • Review and update any security settings, including IP restrictions if available.
  • Enable two-factor authentication for your OneSignal account if not already enabled.
  • Audit all integrations that use the OneSignal API to ensure they're legitimate.