OneSignal REST API Key
Service Name: OneSignal
Service Description: OneSignal is a push notification service that provides cross-platform delivery of notifications to mobile apps, web browsers, and other devices. It enables businesses and developers to send targeted messages to users across multiple platforms.
Service Address: https://onesignal.com/
Validation Type: API Auth
IP Allow list: Does not exist at the secret level, but IP restrictions can be configured at the account level through OneSignal's dashboard security settings.
Secret Access Scope: Grants programmatic access to OneSignal's REST API, allowing management of push notifications, segments, users, and app settings.
Secret Revokement URL: https://dashboard.onesignal.com/apps/[YOUR_APP_ID]/settings/keys_and_ids
Secret Example: YzFkMDRlNzItYTM0Zi00ZWRlLTg1YTUtZDJmMjQ4ZjI3YWNm
Suspicious Activity Investigation Instructions:
- Review the OneSignal dashboard for unusual notification activity or unexpected message sends.
- Check notification delivery reports for unauthorized campaigns.
- Monitor API usage logs for unusual patterns or high volumes of requests.
- Verify if there are any new devices or browsers registered to receive notifications.
- Check for changes in notification segments or audience targeting.
Mitigation Instructions:
- Log in to your OneSignal dashboard at https://dashboard.onesignal.com/.
- Go to Settings > Keys & IDs for your application.
- Click on Reset next to the REST API Key to invalidate the current key.
- Generate a new REST API Key.
- Update the API key in all legitimate applications and services.
- Review and update any security settings, including IP restrictions if available.
- Enable two-factor authentication for your OneSignal account if not already enabled.
- Audit all integrations that use the OneSignal API to ensure they're legitimate.