Skip to content

Pusher API Key

Service Name: Pusher

Service Description: Pusher is a hosted service that provides real-time WebSocket-based APIs for adding live data and functionality to web and mobile applications. It enables features like live chat, notifications, real-time dashboards, and collaborative editing.

Service Address: https://pusher.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the application level in the Pusher dashboard.

Secret Access Scope: Grants access to publish and subscribe to channels within a specific Pusher application, allowing developers to send real-time messages to connected clients.

Secret Revokement URL: https://dashboard.pusher.com/apps

Secret Example: a1b2c3d4e5f6g7h8i9j0

Suspicious Activity Investigation Instructions:

  • Review the Pusher dashboard for unusual traffic patterns or unexpected channel activity.
  • Check application logs for unauthorized connection attempts or message publishing.
  • Monitor for unexpected spikes in connection counts or message volumes.
  • Examine the IP addresses connecting to your Pusher channels for suspicious locations.
  • Review your application code for potential exposure of the Pusher key.

Mitigation Instructions:

  • Log in to the Pusher dashboard at https://dashboard.pusher.com/.
  • Select the affected application.
  • Navigate to the App Keys section.
  • Regenerate the compromised key by clicking Regenerate next to the appropriate key.
  • Update the key in all legitimate application instances.
  • Consider implementing channel authentication to restrict access to private channels.
  • Review and update your application's security settings, including IP allowlisting if appropriate.
  • Ensure your Pusher keys are stored securely and not exposed in client-side code.