Trello API Key
Service Name: Trello
Service Description: Trello is a web-based, Kanban-style, list-making application that is used for project management and task organization. It allows users to create boards, lists, and cards to organize and prioritize projects in a flexible and visual way.
Service Address: https://trello.com/
Validation Type: API Auth
IP Allow list: Does not exist at the secret level, but Trello Enterprise offers IP restriction capabilities at the organization level.
Secret Access Scope: Grants programmatic access to Trello boards, lists, cards, and other resources associated with the user account that created the API key.
Secret Revokement URL: https://trello.com/app-key
Secret Example: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Suspicious Activity Investigation Instructions:
- Review the API usage logs in your Trello Power-Up or integration dashboard
- Check for unauthorized boards, lists, or cards created in your Trello workspace
- Monitor for unexpected changes to existing Trello boards or unusual activity patterns
- Review webhook configurations for any unauthorized endpoints
- Check for any unfamiliar third-party applications connected to your Trello account
Mitigation Instructions:
-
Log in to your Trello account and navigate to https://trello.com/app-key
-
Click on "Delete API Key" to revoke the compromised key
- Generate a new API key if needed for legitimate applications
- Review and update any applications or integrations that were using the old key
- Consider implementing token-based authentication with appropriate scopes
instead of using the API key directly
- For Enterprise users, consider implementing IP restrictions for API access
- Review all Power-Ups and third-party integrations connected to your Trello
account and remove any unauthorized connections