Skip to content

PlanetScale Token

Service Name: PlanetScale

Service Description: PlanetScale is a serverless database platform built on Vitess, a MySQL-compatible database system designed for horizontal scaling. It provides a cloud-hosted MySQL-compatible database service with features like branching, non-blocking schema changes, and automatic scaling.

Service Address: https://planetscale.com/

Validation Type: API Auth

IP Allow list: IP allow lists can be configured at the database level through PlanetScale's access control settings.

Secret Access Scope: PlanetScale tokens grant programmatic access to databases and can have different permission levels (read-only, read-write, or admin) depending on how they were created.

Secret Revokement URL: https://planetscale.com/docs/concepts/password-management#revoking-passwords

Secret Example: pscale_tkn_abcdefghijklmnopqrstuvwxyz0123456789

Suspicious Activity Investigation Instructions:

  • Review the PlanetScale audit logs for unusual database access or operations
  • Check for unexpected schema changes or data modifications
  • Monitor for unusual query patterns or high-volume data access
  • Verify if the token has been used from unexpected geographic locations
  • Review database branch creation, merging, or deletion activities

Mitigation Instructions:

  • Log in to your PlanetScale account dashboard

  • Navigate to the database settings where the compromised token was created

  • Locate the token in the "Passwords" section
  • Click on the "Revoke" button next to the compromised token
  • Create a new token with appropriate permissions to replace the revoked one
  • Update any applications or services that were using the old token
  • Consider implementing more restrictive permissions for the new token
  • Enable IP allow listing for additional security if not already configured