How do I Find the Owner of an Asana API Key?
TL;DR
Automate ownership detection with
trufflehog analyze asana
for fast, scalable results.Use the Asana API (
/users/me
) to manually identify an API key's owner.
Leaking an Asana API key is a serious security risk. If you find one, the first step is determining who owns it. The best approach is to automate detection with TruffleHog, but you can also manually query Asana’s API.
Option 1: Automating Ownership Detection with TruffleHog
Manually checking API keys doesn't scale. TruffleHog automates ownership identification and even checks key permissions.
Using TruffleHog to Analyze an Asana API Key
TruffleHog includes a built-in Asana analyzer that automates ownership identification (and key permissions!). Run the following command:
You'll be prompted to enter the API key to ensure it isn’t stored in bash history.

What Happens Behind the Scenes
TruffleHog authenticates to Asana’s API using the provided key.
It queries the
/users/me
endpoint to fetch ownership details.The tool outputs concise metadata, including the owner’s name, email, and associated workspaces.

Why Use TruffleHog?
Time-Saving Automation: No need to configure API headers or parse responses manually.
Scalable Workflow: Ideal for organizations scanning repositories or logs for secrets
Immediate Context: Quickly identify key owners for faster incident response.
Permissions Scanning: TruffleHog also analyzes the key’s access scope, helping with remediation.
Option 2: Using the Asana API to Identify Key Ownership
If you prefer a manual approach, Asana’s API provides a straightforward way to determine who owns an API key.
Steps to Identify the Key Owner
Make a GET request to the /users/me
endpoint, authenticating with the API key in the Authorization header as a Bearer token. For example:
Review the JSON response, including metadata about the user linked to the API key. A typical response looks like this:
The key fields to look for:
name - Identifies the key owner.
email - Helps in reaching out for remediation.
workspaces - Provides context on where the key is used.
Why This Matters
Exposed API keys are often an entry point for unauthorized access, making them high-priority risks. Identifying the owner quickly allows you to:
Alert them to the issue.
Rotate the compromised key.
Audit their access for potential misuse.
Security teams can efficiently triage leaked secrets and mitigate security incidents by leveraging Asana’s API or automating key ownership detection with TruffleHog.
For more on TruffleHog and secret detection automation, visit the TruffleHog GitHub repository.
STAY STRONG
DIG DEEP
DOING IT THE RIGHT WAY
SINCE 2021
© 2025 Truffle Security Co.