Skip to content

Oracle API Gateway API Key

Service Name: Oracle Cloud Infrastructure API Gateway

Service Description: Oracle API Gateway is a fully managed service that enables you to publish APIs with private endpoints that are accessible from within your network, and public endpoints that are accessible from the internet. The service provides control over API execution by ensuring that only authorized users can access your APIs.

Service Address: https://www.oracle.com/cloud/api-management/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the API Gateway level through Oracle Cloud Infrastructure policies and network security groups.

Secret Access Scope: Grants access to specific APIs published through Oracle API Gateway with permissions defined by the associated policies.

Secret Revokement URL: https://docs.oracle.com/en-us/iaas/Content/APIGateway/Tasks/apigatewaycreatingkeys.htm

Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJvcmFjbGVfYXBpX2dhdGV3YXkiL CJpc3MiOiJvcmFjbGUiLCJpYXQiOjE2MTIzNDU2Nzh9.EXAMPLE_KEY_SIGNATURE

Suspicious Activity Investigation Instructions:

  • Review API Gateway logs for unusual access patterns or unauthorized API calls
  • Check for unexpected traffic spikes or calls from unusual geographic locations
  • Monitor for attempts to access restricted endpoints or resources
  • Review Oracle Cloud Infrastructure audit logs for changes to API Gateway configurations
  • Check for unauthorized modifications to API policies or deployments

Mitigation Instructions:

  • Immediately revoke the compromised API key through the Oracle Cloud Console
  • Navigate to API Gateway service in the Oracle Cloud Console
  • Select the relevant API Gateway and go to the "API Keys" section
  • Locate the compromised key and select "Delete" or "Revoke"
  • Generate a new API key with appropriate permissions
  • Update any legitimate applications to use the new API key
  • Consider implementing additional security measures such as rate limiting and request validation
  • Review and update API Gateway policies to restrict access as needed
  • Enable more detailed logging for future monitoring