--- title: Leaked API key remediation | Lightfield description: Steps to take if your Lightfield API key has been exposed in a public repository or other public location. --- If your Lightfield API key (`sk_lf_...`) has been detected in a public repository, log file, or other publicly accessible location, follow the steps below immediately. Exposed keys can be used by anyone to access your Lightfield workspace data. A leaked API key should be treated as compromised. Revoke it immediately, even if you believe the exposure was brief. ## Step 1: Revoke the exposed key 1. Sign in to the [Lightfield dashboard](https://crm.lightfield.app). 2. Navigate to **Settings > API keys** ([direct link](https://crm.lightfield.app/crm/settings/api-keys)). 3. Find the compromised key and click **Revoke**. Revocation is immediate and permanent. Any integration using the revoked key will stop working. ## Step 2: Create a replacement key 1. On the same [API keys settings page](https://crm.lightfield.app/crm/settings/api-keys), click **Create key**. 2. Grant only the [scopes](/using-the-api/scopes/index.md) your integration requires. 3. Copy the new key and store it in a secrets manager or environment variable. The new key is only displayed once at the time of creation. Store it securely before closing the dialog. ## Step 3: Update your integrations Replace the old key with the new one in every system that uses it: - Environment variables (`.env` files, CI/CD secrets, cloud provider secret stores) - Application configuration - Third-party services that call the Lightfield API on your behalf ## Step 4: Audit for unauthorized access Review recent activity in your Lightfield workspace to check for any unauthorized changes: - Look for unexpected accounts, contacts, or opportunities that may have been created, modified, or deleted. - Check for unfamiliar workflow configurations. - If you notice suspicious activity, contact for assistance. ## Step 5: Remove the secret from your repository history Removing the key from the current version of a file is not enough. The key will still be visible in your git history. To fully remove it: - Use a tool like [git filter-repo](https://github.com/newren/git-filter-repo) or [BFG Repo-Cleaner](https://rocketgit.com/user/MichaelHeinworker/bfg-repo-cleaner) to rewrite history. - Force-push the cleaned history. - If the repository is public, consider the key permanently compromised regardless of history rewriting, since the content may have been cached or cloned by others. ## Preventing future leaks - **Use environment variables or a secrets manager** instead of hardcoding keys in source code. - **Add secret patterns to `.gitignore`** to prevent committing `.env` files or other configuration files that contain keys. - **Enable GitHub secret scanning** on your repositories to receive alerts when secrets are pushed. - **Use separate keys per integration** so a single leak only affects one service. - **Rotate keys periodically** to limit the window of exposure if a key is leaked without detection. For more on managing API keys securely, see [API keys](/using-the-api/api-keys/index.md). ## Contact us If you need help investigating a leaked key or believe your workspace data has been accessed without authorization, contact us at .