Mailgun Primary Key

Description

General

Documentation: https://documentation.mailgun.com/en/latest/api_reference.html
Summary: Mailgun API allows sending emails and performing other actions linked to the Mailgun account programmatically. The API key has full control over the account (it is possible to remove domains and send mails).
IPs allowlist: Yes see here.
Scopes: Mailgun API keys have no scopes and have full access to the account. There is one API key per account and not per user. Thus, leaking a Mailgun API key is a really sensitive event.

Revoke the secret

Be cautious, only one private API key per account can be obtained. To revoke the key, please refer to the API security in the console and click on the "Reset Private API key" button. Be aware that when a freshly revoked secret will still be active during the following 48 hours.

Check for suspicious activity

Based on available information, there is no way to check if an API key was used or not. One possible workaround is to check if the key was used to send emails in the Mailgun logs panel. Anyone who has such an access key has unrestricted access to all the account resources, including billing information.

Details for `Mailgun basic auth`

Family: Api
Category: Messaging system
Company: Mailgun
High recall: True
Validity check available: True
On-premise instances exist: False
Only valid secrets raise an alert: False
Minimum number of matches: 1
Occurrences found for one million commits: 4.27
Prefixed: True
PreValidators:

- type: ContentWhitelistPreValidator
  patterns:
    - key-[a-f0-9]{32}

Examples

- text: |
    curl -H "Authorization: Bearer key-ae54fcc23ade65fa404a65e78c56f898 
    https://api.linode.com/v4/account
  apikey: key-ae54fcc23ade65fa404a65e78c56f898