# API Keys and Application Secrets Handling One-sentence definition: Practices to protect non-human credentials used by apps and services. ## Key Facts - Prefer workload identity (OIDC, federated service accounts) over static keys. - Scope keys minimally; restrict by IP, referrer, or audience. - Rotate keys regularly; monitor usage and anomalies. - Never embed secrets in client-side code or mobile apps. - Use TLS pinning and mTLS for high-trust channels. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose mitigation for leaked mobile API key scenario. **Mnemonic:** “Identity > Keys.” ## Mini Scenario Q: Mobile app uses hardcoded key—risk/fix? A: Key theft; move to backend with OAuth2 flow and rotate. ## Revision Checklist - Name 3 scoping restrictions. - Define workload identity benefit. - State one detection method. ## Related [[Secrets Management (Vaults, KMS, Rotation)]] · [[Key Management Basics (Asset Security)]] · [[Cloud Data Protection (SaaS, PaaS, IaaS)]] · [[CASB and SSPM/CSPM Overview]] · [[Data Loss Prevention (DLP)]] · [[Domain 2 - Index]]