What’s the risk of weak API keys or tokens?

API keys provide authentication without user interaction. Weak or exposed keys enable unauthorized access: sending email, modifying lists, accessing analytics, or changing configurations. Keys often have broad permissions.

Exposure vectors: keys committed to public code repositories, logged in debug output, shared insecurely, or obtained through phishing. Once exposed, keys work until rotated regardless of who has them.

Mitigation: use minimum necessary permissions, rotate keys regularly, monitor for unauthorized usage, never commit keys to repositories, and use secret management systems rather than hardcoding.