Skip to content

Zapier API Bearer Token

Service Name: Zapier

Service Description: Zapier is an automation platform that connects your apps and services together. It allows you to automate workflows by setting up "Zaps" that consist of a trigger and one or more actions across different applications.

Service Address: https://zapier.com/

Validation Type: API Auth

IP Allow list: Does not exist at the token level, but Zapier does offer IP restrictions for Zapier for Teams accounts.

Secret Access Scope: Grants programmatic access to Zapier's API, allowing management of Zaps, connections, and automation workflows. Can be used to create, read, update, and delete Zaps and access connected app data.

Secret Revokement URL: https://developer.zapier.com/dashboard/settings

Secret Example: sk_live_51KzGLpHMVtMgJZRCDIyXWviQsVxHOLJjcBS12X4YhhvZcGBpyQ7e3MZYhFzDIEXAM PLETOKEN

Suspicious Activity Investigation Instructions:

  • Review Zapier account activity logs for unusual Zap creations or modifications
  • Check for unauthorized integrations with third-party services
  • Monitor for data transfers to unfamiliar applications
  • Examine API usage patterns for abnormal request volumes or patterns
  • Verify if any sensitive data has been accessed through connected apps

Mitigation Instructions:

  • Log in to your Zapier developer account at https://developer.zapier.com/

  • Navigate to Dashboard > Settings

  • Locate the compromised API key in the list
  • Click the "Revoke" button next to the key
  • Generate a new API key if needed
  • Update any legitimate applications using the old key with the new one
  • Review and update permissions for connected apps and services
  • Enable additional security features like two-factor authentication for your Zapier

account