Pendo API Key
Service Name: Pendo
Service Description: Pendo is a product analytics and digital adoption platform that helps software companies build better products through behavioral analytics, user feedback, and guided walkthroughs.
Service Address: https://www.pendo.io/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the account level through Pendo's security settings.
Secret Access Scope: Grants programmatic access to Pendo's API, allowing access to analytics data, feature usage, user information, and the ability to create in-app guides.
Secret Revokement URL: https://support.pendo.io/hc/en-us/articles/360031862232-API-Keys
Secret Example: pendo_api_key_7a8b9c0d1e2f3g4h5i6j7k8l9m0n1o2p
Suspicious Activity Investigation Instructions:
- Review API access logs in Pendo for unusual activity or unauthorized access.
- Check for unexpected data exports or guide creations.
- Monitor for unusual API calls, especially those accessing sensitive visitor data.
- Review any changes to integration settings or webhooks.
- Check for unauthorized access to visitor segments or feature analytics.
Mitigation Instructions:
- Log in to your Pendo account as an administrator.
-
Navigate to Settings > API Keys.
-
Locate the compromised API key and click "Delete" or "Revoke".
- Generate a new API key if needed.
- Update the API key in all legitimate applications and integrations.
- Review and adjust API key permissions to follow the principle of least privilege.
- Consider implementing IP restrictions for API access if available.
- Audit all integrations and applications using Pendo API keys.