Secrets management in OpenAPI files

Why secrets leak

Researchers continue to find API keys in public repos and documentation. Recent reports show thousands of keys exposed in Postman collections and leaked OpenAPI examples. Attackers use these credentials to pivot into internal systems, making design-time hygiene critical.

Where to look

• Example headers (Authorization: Bearer <token>) embedded in specs.
• Server URLs that include basic auth.
• Postman environment exports with real keys.
• Inline secrets inside webhook callback examples.

Safe patterns

• Use placeholders like YOUR_API_KEY and document how to create keys.
• Store real credentials in vaults; inject via environment variables in CI.
• Separate public docs from internal specs; strip examples before publishing.
• Rotate keys automatically when a leak is detected.

Run SAST testing for APIs to scan for hard-coded secrets on every commit. The OpenAPI security scanner flags sensitive patterns and reminds you to redact samples.

Incident response

If a credential leaks, revoke it, rotate downstream secrets, and add regression tests so the same pattern cannot merge again. Notify affected partners and update audit logs. Keep a playbook in the repo so engineers know the exact steps.