Deepgram API Key

A Deepgram API Key is a credential used to authenticate requests to Deepgram's speech recognition services. These keys allow applications to access various features such as real-time transcription, language translation, and audio analysis. Exposure of a Deepgram API Key can lead to unauthorized use of the service, potentially resulting in unexpected charges and misuse of the associated account.

How Does It Look

Deepgram API Keys can appear in various contexts, such as:

Environment variables:
```
export DEEPGRAM_API_KEY="dg.xxxxxxx"
```

Configuration files (JSON):

{
  "deepgram": {
    "apiKey": "dg.xxxxxxx"
  }
}

Code snippets:
```
deepgram_api_key = "dg.xxxxxxx"
```

Connection strings:

deepgram://api.deepgram.com?api_key=dg.xxxxxxx

Severity

🟠 High

The severity of exposing a Deepgram API Key is high because it grants access to the Deepgram account's services, which could lead to unauthorized usage and potential financial implications. The blast radius includes any application or service that relies on Deepgram for speech processing, potentially affecting multiple systems.

What Can an Attacker Do?

With immediate access to a Deepgram API Key, an attacker can exploit the service for unauthorized purposes.

Key actions an attacker can perform:

Consume API resources: Generate excessive transcription requests (if the key has access to transcription services)
Access sensitive data: Retrieve transcriptions of audio files (if the key has access to stored audio data)
Incur financial charges: Use the service extensively, leading to unexpected billing (if the account is not on a fixed plan)
Disrupt service availability: Exhaust API rate limits, affecting legitimate users (if rate limits are not properly configured)

An attacker could potentially escalate their access by leveraging the API to gather more information about the account or by using the service to perform further reconnaissance.

Real-World Impact

The exposure of a Deepgram API Key poses significant business risks, primarily related to unauthorized service usage and financial implications.

Potential consequences include:

Data Exposure: Unauthorized access to transcriptions and audio data (if the credential has read access to sensitive data)
Financial Loss: Unexpected charges due to excessive API usage (if billing/resource creation is permitted)
Operational Disruption: Service interruptions due to exhausted API limits (if the attacker has access to high-volume operations)
Reputational Damage: Loss of trust if sensitive data is exposed or services are disrupted

In a worst-case scenario, prolonged unauthorized access could lead to significant financial losses and damage to the organization's reputation, especially if sensitive customer data is involved.

Prerequisites for Exploitation

To exploit a Deepgram API Key, an attacker needs:

Network access: Ability to send requests to the Deepgram API endpoint
API endpoint information: Knowledge of the specific Deepgram API endpoints to target
No rate limits: Absence of effective rate limiting or monitoring to detect unusual activity

How to Verify If It's Active

To verify if a Deepgram API Key is active, use the following command:

curl -X GET "https://api.deepgram.com/v1/projects" -H "Authorization: Token [API_KEY]"

Valid credential response: A successful response will return a list of projects associated with the account.

Invalid/expired credential response: An error message indicating unauthorized access or invalid credentials.

Detection Patterns

Common Variable Names:

DEEPGRAM_API_KEY
DG_API_KEY
DEEPGRAM_KEY
API_KEY_DEEPGRAM
DEEPGRAM_SECRET
DG_KEY

File Locations:

.env
config.json
settings.yaml
credentials.txt

Regex Pattern:

dg\.[a-zA-Z0-9]{7,}

Remediation Steps

Revoke immediately - Go to Deepgram Dashboard > API Keys and delete the compromised key.
Audit access logs - Review Deepgram usage logs for unauthorized requests or unusual activity during the exposure window.
Assess blast radius - Identify all systems, applications, and environments that used the exposed credential.
Rotate credential - Generate a new API key in the Deepgram Dashboard with least-privilege permissions.
Update dependent systems - Deploy the new credential to all applications and update CI/CD pipelines securely.
Harden access controls - Enable IP allowlisting in Deepgram and require API key usage monitoring.
Implement secrets management - Migrate credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
Add detection controls - Set up pre-commit hooks and repository scanning to catch credential leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

How Does It Look​

Severity​

What Can an Attacker Do?​

Real-World Impact​

Prerequisites for Exploitation​

How to Verify If It's Active​

Detection Patterns​

Remediation Steps​

References​