API tokens have become the keys to the kingdom for modern applications. A single bearer token can authorise hundreds of requests, often with permissions that span sensitive data, financial transactions and administrative functions. Token theft has therefore become a primary objective for attackers, and the methods used to steal them are far more varied than most teams plan for.
Where Tokens Actually Leak
Tokens leak from places most threat models never consider. Source control repositories, particularly public forks of internal projects, are a perennial favourite. Continuous integration logs that print environment variables. Browser developer tools history. Crash dumps uploaded to third party services. Mobile applications that log their own request and response bodies for debugging. None of these involve sophisticated attack techniques. All of them produce token leaks that an attacker can use immediately. A regular vulnerability scan services across your public surface, including code repositories and exposed log endpoints, finds more of these than most teams expect.
Short Lifetimes Limit The Damage
A token that lasts six hours is a much smaller problem than one that lasts six months. Short lived access tokens, combined with refresh tokens that can be revoked centrally, give you the ability to invalidate compromised credentials quickly. Long lived tokens, particularly those issued to mobile applications and not rotated, are a much bigger headache because revoking them tends to involve forcing every user to log in again across every device.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
The most uncomfortable conversations I have with clients are the ones where a token has clearly leaked, has been actively used by an attacker, and the development team explains that revoking it will break a critical workflow. The fix is always faster than living with the breach, but the friction of telling that to a board the morning after an incident is rough.
Where Token Hygiene Falls Apart
Tokens get committed to source control repositories. Tokens get logged by middleware that nobody configured to redact them. Tokens get cached on shared developer workstations. Each of these failure modes is preventable with operational discipline. Secret scanning on every commit, structured logging that excludes sensitive fields and clear policies on credential handling all reduce the leakage rate substantially. Treat tokens like cash and the operational discipline tends to follow. Teams that handle physical cash carefully tend to write better credential handling code than teams that treat credentials as routine configuration data.
Binding Tokens To Context
A token that works from any IP address and any client is more useful to a thief than to its legitimate owner. Modern token issuance can include constraints that tie a token to a device, an IP range or a TLS session. None of these protections are perfect, but together they make stolen tokens much harder to replay. A penetration testing quote covering API testing should explicitly attempt to replay tokens from alternative contexts to verify these protections are actually in force.
Tokens are credentials. Treat them with the same paranoia you would apply to a password. Token theft is largely preventable through operational discipline. The fixes are well known. The discipline to apply them is what separates the breach statistics from everyone else. API security is harder than web application security in some respects and easier in others. The teams that understand the differences and design their controls accordingly tend to produce better outcomes than the ones that simply apply web thinking to API problems.