Skip to content

Trello API Key

Service Name: Trello

Service Description: Trello is a web-based, Kanban-style, list-making application that is used for project management and task organization. It allows users to create boards, lists, and cards to organize and prioritize projects in a flexible and visual way.

Service Address: https://trello.com/

Validation Type: API Auth

IP Allow list: Does not exist at the secret level, but Trello Enterprise offers IP restriction capabilities at the organization level.

Secret Access Scope: Grants programmatic access to Trello boards, lists, cards, and other resources associated with the user account that created the API key.

Secret Revokement URL: https://trello.com/app-key

Secret Example: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Suspicious Activity Investigation Instructions:

  • Review the API usage logs in your Trello Power-Up or integration dashboard
  • Check for unauthorized boards, lists, or cards created in your Trello workspace
  • Monitor for unexpected changes to existing Trello boards or unusual activity patterns
  • Review webhook configurations for any unauthorized endpoints
  • Check for any unfamiliar third-party applications connected to your Trello account

Mitigation Instructions:

  • Log in to your Trello account and navigate to https://trello.com/app-key

  • Click on "Delete API Key" to revoke the compromised key

  • Generate a new API key if needed for legitimate applications
  • Review and update any applications or integrations that were using the old key
  • Consider implementing token-based authentication with appropriate scopes

instead of using the API key directly

  • For Enterprise users, consider implementing IP restrictions for API access
  • Review all Power-Ups and third-party integrations connected to your Trello

account and remove any unauthorized connections