Alchemy API Key
ID |
alchemy_key |
Severity |
high |
Vendor |
Alchemy |
Family |
API Token |
Description
Alchemy is a powerful blockchain developer platform providing a suite of developer tools. Developers building apps which interact with Ethereum can use Alchemy’s powerful APIs to supercharge their apps, and leverage features not available in vanilla nodes.
The Alchemy key is an authentication key and once known it allows to query the Alchemy API.
An alternative to legacy API keys encoded in the request URL is to use Alchemy Access Keys, which is passed as a Bearer token in an Authorization header, preventing the API to be leaked in access logs, browser history and cached data.
Security
Any hardcoded Alchemy API Key is a potential secret reported by this detector.
Accidentally checking-in the key to source control repositories could compromise your Alchemy account.
Examples
func main() {
client, err := ethclient.Dial("https://eth-mainnet.g.alchemy.com/v2/AhfMHOtAPvaxaKrpwpzUwevkAdSwTNTv")
if err != nil {
log.Fatal(err)
}
}
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to your dashboard to revoke the API Key.
-
Replace the
API Keyfrom the source code or committed configuration file with a more secure alternative, such as one of the options documented in How to Prevent Hard-Coded Secrets. -
If under a git repository, you may remove unwanted files from the repository history using tools like
git filter-repoorBFG Repo-Cleaner. You may follow the procedure listed here for GitHub.
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |