Skip to main content

Mailgun Primary Key



  • Summary: Mailgun API allows you to send emails and perform other actions linked to your Mailgun account programmatically. The API key has full control over your account (you can remove domains, send mails)
  • IPs allowlist: Yes see here
  • Scopes: Mailgun API key has no scopes and have full access to your account. You have one API key per account and not per user.So leaking a Mailgun API key is a really sensitive event

Revoke the secret#

Be careful you can currently have only one private API key per account. Go to the API security in your console and click on the "Reset Private API key" button. Be aware than when you revoke a secret it will still be active during 48 hours.

Check for suspicious activity#

As far as we know, there is no way to check if an API key was used or not. The only thing you can do is check if your key was used to send emails in your Mailgun logs panel. Anyone who has such an access key has unrestricted access to all the account resources, including billing information.

Details for Mailgun basic auth#

  • Family: Api

  • Category: Messaging system

  • Company: Mailgun

  • High recall: True

  • Validity check available: True

  • On-premise instances exist: False

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 4.27

  • Prefixed: True

  • PreValidators:

- type: ContentWhitelistPreValidator  patterns:  - key-


- text: >    curl -H "Authorization: Bearer key-ae54fcc23ade65fa404a65e78c56f898  apikey: key-ae54fcc23ade65fa404a65e78c56f898