Security

What to do if your API key is leaked

A 5-step playbook for the moment you realise a key has been pushed to GitHub, pasted in a screenshot, or printed in a log. Stay calm — every key is revocable and rotation takes about a minute.

Time matters. Revoke first, investigate second. A revoked key cannot be un-revoked, but it also cannot bill you for usage.

Step 1 — Revoke the key immediately

Open /dashboard/api-keys and click Revoke next to the affected key. Revocation is instant — the next request using that key returns 401 INVALID_API_KEY.

Prefer the API? Use the dashboard endpoint with your authenticated session:

bash

# Revoke a key by id (from /dashboard/api-keys)
curl -X DELETE "https://khaleejiapi.dev/api/dashboard/api-keys?id=KEY_ID" \
  -H "Cookie: <your dashboard session>"

Step 2 — Issue a replacement and rotate

Create a new key in the dashboard and roll it through every place the old one lived: secret managers, environment files, CI variables, mobile build configs. Verify the new key answers a health check before you revoke the old one if you need a brief overlap window.

javascript

// 1. Create the new key in the dashboard
const newKey = "khj_live_..."
 
// 2. Update every running deployment / secret store
//    (Vercel / AWS Secrets Manager / GitHub Actions / .env)
 
// 3. Verify the new key works
await fetch("https://khaleejiapi.dev/api/v1/health", {
  headers: { "x-api-key": newKey },
})
 
// 4. Only then, revoke the old key.

Step 3 — Audit recent usage

In your dashboard, review usage for the leaked key over the period since exposure. Look for unfamiliar source IPs, request spikes, or calls to endpoints you don't use. If anything looks off, contact [email protected] — we keep request logs and can help reconstruct what happened.

Step 4 — Remove the key from version control

Revoking the key is the most important step, but the leaked string should still come out of git history so it doesn't live forever in clones and forks. Use git filter-repo or GitHub's push protection & secret scanning features. If the repo is public, also rotate any other secrets that lived alongside it — attackers grab everything in a single sweep.

Step 5 — Prevent the next leak

A few habits make leaks far less costly:

Lock keys to IPs. If your integration runs from known servers, allowlist those IPs on the key. A leaked key is then unusable from a laptop or a cloud function elsewhere.
One key per environment. Use separate keys for development, staging, and production. Revoking one doesn't take down the others.
Never embed in client-side code. Keys belong on the server. Browser apps and mobile binaries should call your backend, which calls KhaleejiAPI.
Enable GitHub secret scanning. We participate in the GitHub secret scanning partner program — keys pushed to public repos are automatically flagged.

json

// Lock a key to your server's egress IPs so a leaked
// key is useless from anywhere else.
// Configure in: dashboard → API keys → Restrict IPs
{
  "allowed_ips": ["203.0.113.7", "203.0.113.8"]
}

Need help right now? Email [email protected] — leaked-key incidents are P1 and we respond around the clock.