Skip to main content

Access Keys, Secrets Scanning, and Revocation

Authress provides automatic secrets scanning and revocation for your exposed Service Client Access Keys. The access keys generated secure your service clients, and it is critically important to keep these access keys secret at all times.

However, it is possible that some of these access keys might end up in your source code repositories, and so Authress utilizes our its internal tools as well as partnerships with GitHub, GitLab, as well as others secret scanning programs such as Gitleaks.

Automated Processโ€‹

Authress searches for instances of exposed service client access keys. The key aspects of this program are:

1. Detectionโ€‹

Authress searches for strings matching our token regex. Token usually look something like this:


And all of them follow this regex:

// Parts are separated by a `.` period:

// 1. Starts with sc or ext

// 2. followed by the service client ID

// 3. access key ID

// 4. your account ID

// 5. The raw private key

2. Revocationโ€‹

When Authress detects one of these tokens either directly or via one of our partners' secret scanning programs, these tokens will be automatically revoked. Preventing any long term vulnerabilities as a result of these exposed tokens. These tokens will be immediately removed from your account and blocked.


Be prepared to handle issues when the usage of these tokens are revoked. If you find a reason where you need to store a publicly accessible Authress Service Client Access Key, please reach out to our Support so we can better understand your use case.

3. Alertingโ€‹

After the revocation of the Service Client Access Key an email will be sent to your Account Contact to alert you of this activity in your account. There is no action required on your side, but you want to follow up review how this happened so help prevent additional issues.

Email example of token exposure result

4. Remediationโ€‹

When one of your tokens gets revoked due to exposure here are the recommended steps to take to follow up on this action:

CI/CD Token usageโ€‹

Authress provides OIDC token integration support already for every OIDC compatible provider, GitHub, GitLab, Terraform, etc... So that in these environments, Service Client Access Key are not necessary. There is more about this in the OIDC Token integration guide.