Shopify API Key
Service Name: Shopify
Service Description: Shopify is an e-commerce platform that allows individuals and businesses to create online stores to sell products. It provides tools for managing inventory, processing payments, tracking orders, and analyzing sales data.
Service Address: https://www.shopify.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the app level for private apps through Shopify Admin.
Secret Access Scope: Grants programmatic access to a Shopify store's data and functionality based on the permissions granted to the API key. This can include access to products, orders, customers, inventory, and other store data.
Secret Revokement URL: https://admin.shopify.com/settings/apps
Secret Example: shpat_12a3b4c5d6e7f8g9h0i1j2k3l4m5n6o7
Suspicious Activity Investigation Instructions:
- Review the Shopify Admin audit logs for unusual API calls or access patterns.
- Check for unexpected changes to store settings, products, or orders.
- Monitor for unauthorized app installations or API key creations.
- Examine the permissions granted to the compromised API key.
- Review recent order and payment processing activities for suspicious transactions.
Mitigation Instructions:
- Log in to your Shopify Admin dashboard.
- Navigate to Settings > Apps and sales channels.
- Locate the app associated with the compromised API key.
- Click on the app and select Remove app or Revoke access.
- For custom apps, navigate to the Custom apps section and delete the app or regenerate the API key.
- For Partner apps, select Remove app to revoke access.
- Create a new API key with appropriate permissions if needed.
- Review and update your store's security settings, including two-factor authentication.
- Monitor your store for any additional suspicious activity after revoking the key.