← All Tips/API
API

Scope Your Tokens

Never create a "Full Access" API token. Give it the absolute minimum permissions needed to function.

The Principle of Least Privilege

Every API token, service account, and access credential should have exactly the permissions needed for its purpose — no more. This is called the Principle of Least Privilege (PoLP), and it's one of the most impactful security principles you can apply.

When you create a "Full Access" token to avoid the friction of figuring out the exact permissions needed, you create an amplifier for any breach. If that token leaks, the attacker inherits everything it can do.

Real Examples of Scope Creep Risk

Scenario 1: You create a GitHub token with "repo" scope (all repos, read/write) to let a CI/CD tool clone a repository. That token leaks in a log file. The attacker now has write access to every repository in your organization.

Correct approach: Create a token with read-only access to the specific repository, scoped to "contents: read" only.

Scenario 2: You create a full-admin API token for an analytics integration that only needs to read data. The analytics vendor gets breached. Your token is exposed. The attacker has full admin access to your platform.

Correct approach: Create a read-only token. Read access can't delete, modify, or exfiltrate credentials.

Scoping By Platform

GitHub Personal Access Tokens:

  • Use fine-grained tokens (not classic tokens)
  • Select only the specific repository
  • Select only the permissions needed (contents: read, metadata: read)
  • Set an expiration date

AWS IAM:

  • Create purpose-specific IAM roles
  • Use IAM policies with explicit Allow for only the actions needed
  • Avoid AdministratorAccess unless absolutely necessary
  • Enable CloudTrail to audit what the credentials actually do

Stripe API:

  • Restricted keys for read-only dashboards
  • Webhook signing secrets are separate from API keys
  • Never use live API keys in development environments

Cloudflare API:

  • Create tokens scoped to specific zones (domains)
  • Read vs edit permission separately per zone
  • Never use the Global API Key unless required

Token Hygiene

Beyond scoping:

  1. Set expiration dates — rotate tokens regularly
  2. One token per purpose — never share tokens between systems
  3. Audit active tokens — review and revoke unused tokens quarterly
  4. Store in secrets managers — AWS Secrets Manager, HashiCorp Vault, not environment files on disk
  5. Rotate immediately if exposed — don't wait to confirm misuse

Minimum scope, maximum control. The token that can do less can hurt less.

Get your site properly hardened.

The Voice of Cash delivers professional security audits and hands-on implementation.

Speak to a Specialist →
← Previous
Print Your Backup Codes
Next →
Update Your Firmware