Skip to content

Shortcut API Token

Service Name: Shortcut (formerly Clubhouse)

Service Description: Shortcut is a project management platform designed for software development teams. It provides tools for planning, tracking, and managing software projects with features like story tracking, sprint planning, and roadmapping.

Service Address: https://shortcut.com/

Validation Type: API Auth

IP Allow list: Does not exist at the token level, but organization admins can restrict access based on IP addresses in the organization settings.

Secret Access Scope: Grants programmatic access to Shortcut API, allowing read and write operations on stories, epics, milestones, and other project management resources depending on the token permissions.

Secret Revokement URL: https://app.shortcut.com/settings/account/api-tokens

Secret Example: shortcut_pat_abcdefghijklmnopqrstuvwxyz123456

Suspicious Activity Investigation Instructions:

  • Review the API token usage history in Shortcut audit logs.
  • Check for unexpected story or epic creations, modifications, or deletions.
  • Look for unauthorized workflow changes or member invitations.
  • Monitor for data exports or bulk operations that weren't authorized.
  • Review integration setups that might be using the compromised token.

Mitigation Instructions:

  • Log in to your Shortcut account and navigate to Settings > Your Account > API Tokens.
  • Identify the compromised token and click the Revoke button next to it.
  • Create a new API token if needed with appropriate scopes.
  • Update any legitimate applications or integrations with the new token.
  • Review and update your organization's security practices for handling API tokens.
  • Consider implementing IP restrictions at the organization level if available.
  • Audit other tokens to ensure they're still necessary and properly secured.