Skip to content

Pendo API Key

Service Name: Pendo

Service Description: Pendo is a product analytics and digital adoption platform that helps software companies build better products through behavioral analytics, user feedback, and guided walkthroughs.

Service Address: https://www.pendo.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level through Pendo's security settings.

Secret Access Scope: Grants programmatic access to Pendo's API, allowing access to analytics data, feature usage, user information, and the ability to create in-app guides.

Secret Revokement URL: https://support.pendo.io/hc/en-us/articles/360031862232-API-Keys

Secret Example: pendo_api_key_7a8b9c0d1e2f3g4h5i6j7k8l9m0n1o2p

Suspicious Activity Investigation Instructions:

  • Review API access logs in Pendo for unusual activity or unauthorized access.
  • Check for unexpected data exports or guide creations.
  • Monitor for unusual API calls, especially those accessing sensitive visitor data.
  • Review any changes to integration settings or webhooks.
  • Check for unauthorized access to visitor segments or feature analytics.

Mitigation Instructions:

  • Log in to your Pendo account as an administrator.
  • Navigate to Settings > API Keys.

  • Locate the compromised API key and click "Delete" or "Revoke".

  • Generate a new API key if needed.
  • Update the API key in all legitimate applications and integrations.
  • Review and adjust API key permissions to follow the principle of least privilege.
  • Consider implementing IP restrictions for API access if available.
  • Audit all integrations and applications using Pendo API keys.