How Do I Find the Owner of a Mailgun API Key?
tl;dr Newly issued Mailgun API keys embed a key ID, which can be used to query the /v1/keys
endpoint to retrieve ownership details. Older keys don’t have an embedded ID; instead, we query Mailgun for domains associated with the account to infer ownership.
Automating Ownership Detection with TruffleHog
Manually checking API keys is tedious. TruffleHog automates the process by identifying Mailgun API key ownership using a domain-based approach.
Run:
You’ll be prompted to enter the API key.

TruffleHog will then:
Authenticate to the Mailgun API using the supplied credential.
Query the
/v4/domains
endpoint to fetch domains associated with the account.Output domain metadata to help users infer API key ownership.

This method works reliably for both older and newer Mailgun API keys since every Mailgun account is tied to at least one domain.
Manually Identifying Mailgun API Key Owners
If you want to retrieve ownership details manually, your method depends on whether the key is new or old.
For Newer Mailgun API Keys (with embedded key IDs)
Newer Mailgun API keys contain an embedded key ID, which allows direct querying of the /v1/keys
endpoint.
Extract the key ID.
Run:
Filter the JSON output to find details for the key associated with the ID from above.
The requestor
field will provide you with the email address of the user who created the key.
For Older Mailgun API Keys (No Embedded Key ID)
For older keys, the /v1/keys
endpoint returns a list of all account API keys metadata, but without knowing the key ID in advance, there is no way to match an individual key with an entry in the response.
The only reliable method for identifying ownership of older Mailgun API keys is querying for domains associated with that account.
Run the following command:
Expected Response:
Key fields to check:
name
– A domain associated with this key.state
– If "active
", the domain is still in use.
Why This Matters
Leaked Mailgun API keys can pose a significant risk, potentially exposing:
✅ The ability to send emails on behalf of an organization.
✅ Email logs containing sensitive data.
✅ Domain authentication settings.
What to Do If You Find an Exposed Mailgun API Key
🔹 Immediately revoke the compromised key via the Mailgun dashboard.
🔹 Audit email logs to check for unauthorized email activity.
🔹 Enforce IP whitelisting to restrict API access.
TruffleHog simplifies the process by automatically identifying ownership using the older, domain-based approach, making it easier to determine the impact of a leaked key.
🔍 Check out the TruffleHog GitHub repository for more details.
STAY STRONG
DIG DEEP
DOING IT THE RIGHT WAY
SINCE 2021
© 2025 Truffle Security Co.