Skip to content
Lightfield Lightfield
Using the API
Leaked API key remediation

Leaked API key remediation

Steps to take if your Lightfield API key has been exposed in a public repository or other public location.

If your Lightfield API key (sk_lf_...) has been detected in a public repository, log file, or other publicly accessible location, follow the steps below immediately. Exposed keys can be used by anyone to access your Lightfield workspace data.

Step 1: Revoke the exposed key

Section titled “Step 1: Revoke the exposed key”
  1. Sign in to the Lightfield dashboard.
  2. Navigate to Settings > API keys (direct link).
  3. Find the compromised key and click Revoke.

Revocation is immediate and permanent. Any integration using the revoked key will stop working.

Step 2: Create a replacement key

Section titled “Step 2: Create a replacement key”
  1. On the same API keys settings page, click Create key.
  2. Grant only the scopes your integration requires.
  3. Copy the new key and store it in a secrets manager or environment variable.

Step 3: Update your integrations

Section titled “Step 3: Update your integrations”

Replace the old key with the new one in every system that uses it:

  • Environment variables (.env files, CI/CD secrets, cloud provider secret stores)
  • Application configuration
  • Third-party services that call the Lightfield API on your behalf

Step 4: Audit for unauthorized access

Section titled “Step 4: Audit for unauthorized access”

Review recent activity in your Lightfield workspace to check for any unauthorized changes:

  • Look for unexpected accounts, contacts, or opportunities that may have been created, modified, or deleted.
  • Check for unfamiliar workflow configurations.
  • If you notice suspicious activity, contact support@lightfield.app for assistance.

Step 5: Remove the secret from your repository history

Section titled “Step 5: Remove the secret from your repository history”

Removing the key from the current version of a file is not enough. The key will still be visible in your git history. To fully remove it:

  • Use a tool like git filter-repo or BFG Repo-Cleaner to rewrite history.
  • Force-push the cleaned history.
  • If the repository is public, consider the key permanently compromised regardless of history rewriting, since the content may have been cached or cloned by others.

Preventing future leaks

Section titled “Preventing future leaks”
  • Use environment variables or a secrets manager instead of hardcoding keys in source code.
  • Add secret patterns to .gitignore to prevent committing .env files or other configuration files that contain keys.
  • Enable GitHub secret scanning on your repositories to receive alerts when secrets are pushed.
  • Use separate keys per integration so a single leak only affects one service.
  • Rotate keys periodically to limit the window of exposure if a key is leaked without detection.

For more on managing API keys securely, see API keys.

Contact us

Section titled “Contact us”

If you need help investigating a leaked key or believe your workspace data has been accessed without authorization, contact us at support@lightfield.app.