HIGH phishing api keysfastapijwt tokens

Phishing Api Keys in Fastapi with Jwt Tokens

Scan for phishing api keys in fastapi

Phishing API Keys in FastAPI with JWT Tokens — how this specific combination creates or exposes the vulnerability

When API keys are handled alongside JWT tokens in a FastAPI application, phishing risks increase because both credential types can be inadvertently exposed through logging, error messages, or client-side storage. A common pattern developers use is storing a static API key as an environment variable and also issuing JWTs for user sessions. If the API key is embedded in error responses or debug output, it can be harvested by phishing pages that masquerade as legitimate authentication or analytics endpoints.

Attackers may craft URLs that look like internal FastAPI routes (e.g., /api/v1/auth/token) and trick users or backend services into sending credentials. With JWT tokens, if the signing secret or a poorly configured algorithm (such as none) is discoverable, an attacker can forge tokens. In FastAPI, if the application does not strictly validate the aud (audience) and iss (issuer) claims, a phishing site that obtains a token intended for another audience can reuse it across services.

Phishing can also occur at the infrastructure level: if FastAPI OpenAPI specs are publicly exposed, an attacker can enumerate endpoints that accept API keys and JWTs. The combination means a phished API key might grant access to administrative routes that issue or introspect JWTs, compounding the impact. For example, an endpoint that rotates keys or revokes tokens could be invoked with a phished key, allowing an attacker to disrupt authentication for all users.

Additionally, if FastAPI relies on JWT access tokens but does not enforce strict referrer or origin checks, malicious sites can trick authenticated users into making cross-origin requests that include cookies or bearer tokens. While FastAPI itself does not set cookies by default when using JWTs, middleware or custom wrappers might inadvertently expose headers that include key material in logs or to browser JavaScript, creating a phishing surface.

JWT Tokens-Specific Remediation in Fastapi — concrete code fixes

Secure JWT handling in FastAPI requires strict validation of token structure, claims, and cryptographic parameters. Use the python-jose library with explicit algorithms and audience/issuer checks. Below is a robust example that avoids common pitfalls such as accepting none and skipping verification.

from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from jose import JWTError, jwt
from pydantic import BaseModel
import os

app = FastAPI()
security_scheme = HTTPBearer()

SECRET_KEY = os.getenv('JWT_SECRET_KEY')
ALGORITHM = 'RS256'
AUDIENCE = 'myapi.example.com'
ISSUER = 'auth.example.com'

class TokenData(BaseModel):
    sub: str
    scopes: list[str]

def decode_token(token: str) -> TokenData:
    try:
        payload = jwt.decode(
            token,
            key=SECRET_KEY,
            algorithms=[ALGORITHM],
            audience=AUDIENCE,
            issuer=ISSUER,
        )
        return TokenData(sub=payload.get('sub'), scopes=payload.get('scopes', []))
    except JWTError as e:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=f'Invalid authentication credentials: {e}',
            headers={'WWW-Authenticate': 'Bearer'},
        )

def get_current_user(credentials: HTTPAuthorizationCredentials = Depends(security_scheme)) -> TokenData:
    return decode_token(credentials.credentials)

@app.get('/users/me')
def read_current_user(user: TokenData = Depends(get_current_user)):
    return {'user_id': user.sub, 'scopes': user.scopes}

Key remediation points: enforce a strong algorithm like RS256 or ES256 instead of HS256 where feasible, always specify audience and issuer, and avoid logging raw tokens. For API keys, store them in a secrets manager and rotate them regularly; do not embed them in JavaScript or client-side code that can be phished. If you use the middleBrick CLI (middlebrick scan <url>), it can detect missing audience/issuer validation and weak algorithms as part of its authentication checks.

In production, serve FastAPI behind a gateway that enforces mutual TLS for sensitive endpoints and strips unnecessary headers before responses reach the application. Middleware that adds security headers and suppresses detailed errors reduces the chance that API keys or JWT metadata leak via phishing-friendly error pages. The Pro plan of middleBrick includes continuous monitoring and GitHub Action integration to ensure these controls remain enforced across deployments.

Scan for phishing api keys in fastapi Free API security scan

Frequently Asked Questions

How does middleBrick detect weak JWT configurations in FastAPI endpoints?
middleBrick runs 12 security checks in parallel, including Authentication and Input Validation. For JWT tokens, it tests algorithm flexibility, validates the presence and correctness of audience and issuer claims, and checks for common misconfigurations such as accepting the 'none' algorithm. Findings appear in the dashboard with severity and remediation guidance, and the CLI can be run locally with 'middlebrick scan ' to surface these issues early.
Can the GitHub Action fail a build if a FastAPI JWT setup is non-compliant?
Yes. With the middleBrick GitHub Action, you can add API security checks to your CI/CD pipeline and set a threshold for the security risk score. If the score drops below your defined threshold—due to weak JWT handling or exposed API keys—the build will fail, preventing deployment of insecure configurations.

Related Pages

Phishing Api Keys in FastapiLearn how phishing API keys exploit FastAPI apps via OpenAPI leaks and errors. Detect with middleBrick's Data Exposure sPhishing Api Keys with Jwt TokensLearn how phishing API keys manifest in JWT tokens through algorithm confusion, claim tampering, and token substitution Phishing Api Keys in Fastapi on AwsLearn how phishing can expose API keys in FastAPI on AWS and apply concrete IAM, secrets, and input validation fixes witPhishing Api Keys in Fastapi on AzureUnderstand how phishing API keys can affect FastAPI apps on Azure and apply Azure-specific code fixes using Key Vault anPhishing Api Keys in Fastapi on DigitaloceanLearn how phishing exposes API keys in FastAPI on DigitalOcean, with concrete remediation code examples and secure deploPhishing Api Keys in Fastapi on CloudflareExplore phishing risks for API keys in FastAPI behind Cloudflare, with secure remediation patterns and header validationOwasp Api Top 10: Phishing Api Keys in FastapiExplore OWASP API Top 10 phishing API keys risks in FastAPI with concrete examples and remediation guidance.Hipaa: Phishing Api Keys in FastapiExplore HIPAA risks when API keys are exposed via FastAPI endpoints and learn concrete Fastapi-specific fixes with securGdpr: Phishing Api Keys in FastapiLearn how GDPR intersects with phishing API keys in Fastapi apps, and apply concrete Fastapi code fixes to protect keys Nist: Phishing Api Keys in FastapiExplore NIST guidance applied to phishing api keys in Fastapi, with code examples and remediation aligned to authenticatPhishing Api Keys in Fastapi with DynamodbExplore how FastAPI with DynamoDB can expose API keys to phishing, and apply DynamoDB-specific fixes with secure code exPhishing Api Keys in Fastapi with CockroachdbExplore how API keys can be phished in Fastapi+Cockroachdb apps, and apply Cockroachdb-specific fixes and tenant-aware q