KeyHacks shows methods to validate different API keys found on a Bug Bounty Program or a pentest.

@Gwen001 has scripted the entire process available here and it can be found here

ABTasty API Key
Algolia API key
Amplitude API Keys
Asana Access token
AWS Access Key ID and Secret
Azure Application Insights APP ID and API Key
Bazaarvoice Passkey
Bing Maps API Key
Bit.ly Access token
Branch.io Key and Secret
BrowserStack Access Key
Buildkite Access token
ButterCMS API Key
Calendly API Key
Contentful Access Token
CircleCI Access Token
Cloudflare API key
Cypress record key
DataDog API key
Delighted API key
Deviant Art Access Token
Deviant Art Secret
Dropbox API
Facebook Access Token
Facebook AppSecret
Firebase
Firebase Cloud Messaging (FCM)
FreshDesk API Key
Github client id and client secret
GitHub private SSH key
Github Token
Gitlab personal access token
GitLab runner registration token
Google Cloud Service Account credentials
Google Maps API key
Google Recaptcha key
Grafana Access Token
Help Scout OAUTH
Heroku API key
HubSpot API key
Infura API key
Instagram Access Token
Instagram Basic Display API
Instagram Graph API
Ipstack API Key
Iterable API Key
JumpCloud API Key
Keen.io API Key
LinkedIn OAUTH
Lokalise API Key
Loqate API Key
MailChimp API Key
MailGun Private Key
Mapbox API key
Microsoft Azure Tenant
Microsoft Shared Access Signatures (SAS)
Microsoft Teams Webhook
New Relic Personal API Key (NerdGraph)
New Relic REST API
NPM token
OpsGenie API Key
Pagerduty API token
Paypal client id and secret key
Pendo Integration Key
PivotalTracker API Token
Razorpay API key and secret key
Salesforce API key
SauceLabs Username and access Key
SendGrid API Token
Shodan.io
Slack API token
Slack Webhook
Sonarcloud
Spotify Access Token
Square
Stripe Live Token
Telegram Bot API Token
Travis CI API token
Twilio Account_sid and Auth token
Twitter API Secret
Twitter Bearer token
Visual Studio App Center API Token
WakaTime API Key
WeGlot Api Key
WPEngine API Key
YouTube API Key
Zapier Webhook Token
Zendesk Access token
Zendesk API key

Detailed Information

Slack Webhook

If the below command returns missing_text_or_fallback_or_attachments, it means that the URL is valid, any other responses would mean that the URL is invalid.

curl -s -X POST -H "Content-type: application/json" -d '{"text":""}' "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX"

Slack API token

curl -sX POST "https://slack.com/api/auth.test?token=xoxp-TOKEN_HERE&pretty=1"

curl -sX POST "https://slack.com/api/auth.test" -H "Accept: application/json; charset=utf-8" -H "Authorization: Bearer xoxb-TOKEN_HERE"

SauceLabs Username and access Key

curl -u USERNAME:ACCESS_KEY https://saucelabs.com/rest/v1/users/USERNAME

Facebook AppSecret

You can generate access tokens by visiting the URL below.

https://graph.facebook.com/oauth/access_token?client_id=ID_HERE&client_secret=SECRET_HERE&redirect_uri=&grant_type=client_credentials

Facebook Access Token

https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2

Firebase

Requires a custom token, and an API key.

Obtain ID token and refresh token from custom token and API key: curl -s -XPOST -H 'content-type: application/json' -d '{"token":":custom_token","returnSecureToken":True}' 'https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=:api_key'
Exchange ID token for auth token: curl -s -XPOST -H 'content-type: application/json' -d '{"idToken":":id_token"}' https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken?key=:api_key'

Github Token

curl -s -u "user:apikey" https://api.github.com/user
curl -s -H "Authorization: token TOKEN_HERE" "https://api.github.com/users/USERNAME_HERE/orgs"
# Check scope of your api token
curl "https://api.github.com/rate_limit" -i -u "user:apikey" | grep "X-OAuth-Scopes:"

Github client id and client secret

curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy'

Firebase Cloud Messaging

Reference: https://abss.me/posts/fcm-takeover

curl -s -X POST --header "Authorization: key=AI..." --header "Content-Type:application/json" 'https://fcm.googleapis.com/fcm/send' -d '{"registration_ids":["1"]}'

GitHub private SSH key

SSH private keys can be tested against github.com to see if they are registered against an existing user account. If the key exists the username corresponding to the key will be provided. (source)

$ ssh -i <path to SSH private key> -T git@github.com
Hi <username>! You've successfully authenticated, but GitHub does not provide shell access.

Twilio Account_sid and Auth token

curl -X GET 'https://api.twilio.com/2010-04-01/Accounts.json' -u ACCOUNT_SID:AUTH_TOKEN

Twitter API Secret

curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token'

Twitter Bearer token

curl --request GET --url https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json --header 'authorization: Bearer TOKEN'

HubSpot API key

Get all owners:

https://api.hubapi.com/owners/v2/owners?hapikey={keyhere}

Get all contact details:

https://api.hubapi.com/contacts/v1/lists/all/contacts/all?hapikey={keyhere}

Infura API key

curl https://mainnet.infura.io/v3/<YOUR-API-KEY> -X POST -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"eth_accounts","params":[],"id":1}'

Deviant Art Secret

curl https://www.deviantart.com/oauth2/token -d grant_type=client_credentials -d client_id=ID_HERE -d client_secret=mysecret

Deviant Art Access Token

curl https://www.deviantart.com/api/v1/oauth2/placebo -d access_token=Alph4num3r1ct0k3nv4lu3

Pendo Integration Key

curl -X GET https://app.pendo.io/api/v1/feature -H 'content-type: application/json' -H 'x-pendo-integration-key:KEY_HERE'
curl -X GET https://app.pendo.io/api/v1/metadata/schema/account -H 'content-type: application/json' -H 'x-pendo-integration-key:KEY_HERE'

SendGrid API Token

curl -X "GET" "https://api.sendgrid.com/v3/scopes" -H "Authorization: Bearer SENDGRID_TOKEN-HERE" -H "Content-Type: application/json"

Keyhacks

Install / Use

README

Table of Contents