Mailgun Primary Key
- Documentation: https://documentation.mailgun.com/en/latest/api_reference.html
- Summary: Mailgun API allows sending emails and performing other actions linked to the Mailgun account programmatically. The API key has full control over the account (it is possible to remove domains and send mails).
- IPs allowlist: Yes see here.
- Scopes: Mailgun API keys have no scopes and have full access to the account. There is one API key per account and not per user. Thus, leaking a Mailgun API key is a really sensitive event.
Revoke the secret
Be cautious, only one private API key per account can be obtained. To revoke the key, please refer to the API security in the console and click on the "Reset Private API key" button. Be aware that when a freshly revoked secret will still be active during the following 48 hours.
Check for suspicious activity
Based on available information, there is no way to check if an API key was used or not. One possible workaround is to check if the key was used to send emails in the Mailgun logs panel. Anyone who has such an access key has unrestricted access to all the account resources, including billing information.
Mailgun basic auth
Category: Messaging system
High recall: True
Validity check available: True
On-premise instances exist: False
Only valid secrets raise an alert: False
Minimum number of matches: 1
Occurrences found for one million commits: 4.27
- type: ContentWhitelistPreValidator
- text: |
curl -H "Authorization: Bearer key-ae54fcc23ade65fa404a65e78c56f898