Skip to main content

Mailgun Primary Key

Description#

General#

  • Documentation: https://documentation.mailgun.com/en/latest/api_reference.html
  • Summary: Mailgun API allows sending emails and performing other actions linked to the Mailgun account programmatically. The API key has full control over the account (it is possible to remove domains and send mails).
  • IPs allowlist: Yes see here.
  • Scopes: Mailgun API keys have no scopes and have full access to the account. There is one API key per account and not per user. Thus, leaking a Mailgun API key is a really sensitive event.

Revoke the secret#

Be cautious, only one private API key per account can be obtained. To revoke the key, please refer to the API security in the console and click on the "Reset Private API key" button. Be aware that when a freshly revoked secret will still be active during the following 48 hours.

Check for suspicious activity#

Based on available information, there is no way to check if an API key was used or not. One possible workaround is to check if the key was used to send emails in the Mailgun logs panel. Anyone who has such an access key has unrestricted access to all the account resources, including billing information.

Details for Mailgun basic auth#

  • Family: Api

  • Category: Messaging system

  • Company: Mailgun

  • High recall: True

  • Validity check available: True

  • On-premise instances exist: False

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 4.27

  • Prefixed: True

  • PreValidators:

- type: ContentWhitelistPreValidator  patterns:  - key-[a-f0-9]{32}

Examples#

- text: >    curl -H "Authorization: Bearer key-ae54fcc23ade65fa404a65e78c56f898     https://api.linode.com/v4/account  apikey: key-ae54fcc23ade65fa404a65e78c56f898