How do I Find the owner of an Airbrake API Key

TL;DR

  • The Airbrake API does not provide an endpoint to retrieve user details (name, email, etc.).

  • Instead, query project metadata to infer key ownership - use TruffleHog for automation or manually call the /projects endpoint.

Identifying the Owner of an Airbrake API Key

Airbrake’s API does not offer a /users/me or similar endpoint to fetch user details. This makes identifying API key ownership challenging.

However, since Airbrake organizes API keys by project, querying project metadata can help determine key ownership.

Automating Project Identification with TruffleHog

Manually querying API endpoints for every leaked key is inefficient. TruffleHog automates this process by analyzing Airbrake API keys and fetching project details.

To get started, run the following command:


trufflehog analyze airbrake


You'll be prompted to enter a valid Airbrake API key.



After running TruffleHog's Airbrake analyzer, you'll see the project IDs and names associated with that key.



Use the project name to infer ownership.

What’s Happening Behind the Scenes?

  • TruffleHog authenticates to Airbrake using the provided API key.

  • It queries the /projects endpoint, extracting project metadata.

  • It outputs the project details, helping security teams quickly determine ownership.

** Check out the TruffleHog code implementation for more details.

Querying Airbrake for Project Information (Manual Method)

If you prefer a manual approach, use the following cURL command:


curl https://api.airbrake.io/api/v4/projects?key=<AIRBRAKE_API_KEY>


Expected Response:


{
  "projects": [
    {
      "id": 12345,
      "name": "Production eCommerce Application",
      "updated_at": "2025-01-15T10:30:00Z"
    }
  ]
}


  • name: Identifies the project linked to the API key.

Knowing the project name can help security teams trace the key owner.

Why This Matters

Leaked Airbrake API keys pose a security risk, potentially exposing sensitive application error logs. Security teams should: 

  • Immediately rotate the exposed keys.

  • Audit project access to prevent unauthorized use. 

TruffleHog simplifies this process by automating key identification and project association. 

For more on TruffleHog’s capabilities, visit the TruffleHog GitHub repository.