Skip to content

Optimizely API Token

Service Name: Optimizely

Service Description: Optimizely is a digital experience platform that provides A/B testing, feature flagging, and experimentation tools to help businesses optimize their digital products and customer experiences.

Service Address: https://www.optimizely.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level through Optimizely's security settings.

Secret Access Scope: Grants programmatic access to Optimizely's APIs, allowing management of experiments, feature flags, audiences, and results data.

Secret Revokement URL: https://app.optimizely.com/v2/accountsettings/apitoken

Secret Example: 2:_YourOptimizelyAPIToken123456789abcdefghijklmnopqrstuvwxyz

Suspicious Activity Investigation Instructions:

  • Review Optimizely logs for unusual API calls or experiment modifications.
  • Check for unexpected changes to experiments, feature flags, or audiences.
  • Monitor for unauthorized creation of new experiments or modifications to existing ones.
  • Review IP addresses that have accessed the API for any unfamiliar locations.
  • Check for unusual data export activities or mass changes to configurations.

Mitigation Instructions:

  • Log in to your Optimizely account at https://app.optimizely.com/.
  • Navigate to Account Settings > API Access.

  • Locate the compromised API token.

  • Click "Revoke" next to the token to immediately invalidate it.
  • Generate a new API token if needed.
  • Update all legitimate applications and services with the new token.
  • Review and adjust IP restrictions if available for your account type.
  • Consider implementing shorter token expiration periods for future tokens.