Skip to content

Reddit API Secret

Service Name: Reddit

Service Description: Reddit is a social media platform where users can submit content such as text posts, links, images, and videos, which are then voted up or down by other members. The platform is organized into user-created boards called "subreddits," each covering a specific topic.

Service Address: https://www.reddit.com/

Validation Type: API Auth

IP Allow list: Does not exist at the secret level, but rate limiting is applied based on application usage.

Secret Access Scope: Grants programmatic access to Reddit's API for reading and writing data, managing posts, comments, and other Reddit content based on the OAuth scopes requested.

Secret Revokement URL: https://www.reddit.com/prefs/apps

Secret Example: Th1s_1s_4_R3dd1t_API_S3cr3t_K3y_3x4mpl3

Suspicious Activity Investigation Instructions:

  • Review the OAuth application's activity logs for unusual API calls or access patterns.

  • Check for unexpected posts, comments, or messages made through your application.

  • Monitor for unusual vote manipulation or content submission.

  • Verify if the application is accessing subreddits or user data outside its intended scope.

  • Check for unusual geographic access patterns to your Reddit application.

Mitigation Instructions:

  • Navigate to Reddit's app preferences page at https://www.reddit.com/prefs/apps

  • Locate the compromised application in your developer applications list.

  • Click "revoke" or "delete" to invalidate the current client secret.

  • Create a new application to generate a fresh client ID and secret if needed.

  • Update your application code with the new credentials.

  • Review and potentially reduce the OAuth scopes requested by your application.

  • Implement proper secret management practices to prevent future exposure.

  • Consider implementing additional authentication mechanisms like PKCE for public clients.