How Do I Find the Owner of a Mailgun API Key?

tl;dr Newly issued Mailgun API keys embed a key ID, which can be used to query the /v1/keys endpoint to retrieve ownership details. Older keys don’t have an embedded ID; instead, we query Mailgun for domains associated with the account to infer ownership.

Automating Ownership Detection with TruffleHog

Manually checking API keys is tedious. TruffleHog automates the process by identifying Mailgun API key ownership using a domain-based approach. 

Run:

trufflehog analyze mailgun

You’ll be prompted to enter the API key.

TruffleHog will then:

1. Authenticate to the Mailgun API using the supplied credential.

2. Query the /v4/domains endpoint to fetch domains associated with the account.

3. Output domain metadata to help users infer API key ownership.

This method works reliably for both older and newer Mailgun API keys since every Mailgun account is tied to at least one domain.

Manually Identifying Mailgun API Key Owners

If you want to retrieve ownership details manually, your method depends on whether the key is new or old.

For Newer Mailgun API Keys (with embedded key IDs)

Newer Mailgun API keys contain an embedded key ID, which allows direct querying of the /v1/keys endpoint.

Extract the key ID. 

API Key: 51e92227d774cbbed809f8f52e2875b8-667818f5-78596bf1
ID: 667818f5-78596bf1

Run:

curl -X GET https://api.mailgun.net/v1/keys --user 'api:<MAILGUN_API_KEY>'

Filter the JSON output to find details for the key associated with the ID from above.

{"total_count":2,"items":[...,{"id":"667818f5-78596bf1","description":"None key","kind":"web","role":"admin","created_at":"2025-02-04T16:29:20","updated_at":"2025-02-04T16:29:20","expires_at":"2025-02-05T16:29:20","domain_name":null,"requestor":"[email protected]","user_name":null}]}

The requestor field will provide you with the email address of the user who created the key.

For Older Mailgun API Keys (No Embedded Key ID)

For older keys, the /v1/keys endpoint returns a list of all account API keys metadata, but without knowing the key ID in advance, there is no way to match an individual key with an entry in the response.

The only reliable method for identifying ownership of older Mailgun API keys is querying for domains associated with that account.

Run the following command:

curl -X GET https://api.mailgun.net/v4/domains \
  --user 'api:<MAILGUN_API_KEY>'

Expected Response:

{
  "total_count": 1,
  "items": [
    {
      "name": "example.com",
      "state": "active"
    }
  ]
}

Key fields to check:

• name – A domain associated with this key.

• state – If "active", the domain is still in use.

Why This Matters

Leaked Mailgun API keys can pose a significant risk, potentially exposing:
✅ The ability to send emails on behalf of an organization.
✅ Email logs containing sensitive data.
✅ Domain authentication settings.

What to Do If You Find an Exposed Mailgun API Key

🔹 Immediately revoke the compromised key via the Mailgun dashboard.
🔹 Audit email logs to check for unauthorized email activity.
🔹 Enforce IP whitelisting to restrict API access.

TruffleHog simplifies the process by automatically identifying ownership using the older, domain-based approach, making it easier to determine the impact of a leaked key.

🔍 Check out the TruffleHog GitHub repository for more details.