Shortcut API Token
Service Name: Shortcut (formerly Clubhouse)
Service Description: Shortcut is a project management platform designed for software development teams. It provides tools for planning, tracking, and managing software projects with features like story tracking, sprint planning, and roadmapping.
Service Address: https://shortcut.com/
Validation Type: API Auth
IP Allow list: Does not exist at the token level, but organization admins can restrict access based on IP addresses in the organization settings.
Secret Access Scope: Grants programmatic access to Shortcut API, allowing read and write operations on stories, epics, milestones, and other project management resources depending on the token permissions.
Secret Revokement URL: https://app.shortcut.com/settings/account/api-tokens
Secret Example: shortcut_pat_abcdefghijklmnopqrstuvwxyz123456
Suspicious Activity Investigation Instructions:
- Review the API token usage history in Shortcut audit logs.
- Check for unexpected story or epic creations, modifications, or deletions.
- Look for unauthorized workflow changes or member invitations.
- Monitor for data exports or bulk operations that weren't authorized.
- Review integration setups that might be using the compromised token.
Mitigation Instructions:
- Log in to your Shortcut account and navigate to Settings > Your Account > API Tokens.
- Identify the compromised token and click the Revoke button next to it.
- Create a new API token if needed with appropriate scopes.
- Update any legitimate applications or integrations with the new token.
- Review and update your organization's security practices for handling API tokens.
- Consider implementing IP restrictions at the organization level if available.
- Audit other tokens to ensure they're still necessary and properly secured.