Background
The monitoring system detected an API Key from a mobile project exposed in a public code hosting platform.
Response Process
- Impact Assessment โ Check Key permission scope, associated projects, and call logs
- Immediate Mitigation โ Immediately add IP and Referrer restrictions
- Key Rotation โ Create new Key, configure minimal permissions (3 APIs + package name SHA-1)
- Update Application โ Update new Key to configuration, trigger deployment
- Deprecate Old Key โ Delete old Key after confirming new Key is working
- Multi-dimensional Verification โ Functional testing, old Key invalidation confirmation, permission check
- Generate Report โ Automatically upload to Confluence
Results
- Fully automated throughout, zero business interruption
- New Key permissions reduced from 40+ APIs to 3
Technical Highlights
- First step after leak is mitigation (add restrictions), not immediate deletion
- Rotation requires deploying new Key first, then deprecating old Key after confirmation โ ClawNOC Operations Agent Practice Notes