Heroku API Key
Detects Heroku platform API keys in the prefixed HRKU- form. These keys authenticate to the Heroku Platform API and can deploy apps, read config vars and manage add-ons; a leak enables full account compromise.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the distinctive HRKU- prefix with a long high-entropy body makes false positives extremely unlikely. The legacy UUID form is excluded to preserve high confidence.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth), Computer Fraud and Abuse Act, Computer Misuse Act 1990
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9_-])HRKU-[A-Za-z0-9_-]{55,63}(?![A-Za-z0-9_-])Corroborative evidence keywords
heroku, heroku api key, HEROKU_API_KEY, api.heroku.com, platform api, bearer
Proximity: 300 characters
Should match
HRKU-AAaBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789-_AAaBcDeFgHiJkLmNoP— Heroku API key, HRKU- prefix + long bodyHEROKU_API_KEY=HRKU-AA0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST— Labelled Heroku API key in env varHRKU-zZyYxXwWvVuUtTsSrRqQpPoOnNmMlLkKjJiIhHgGfFeEdDcCbBaA0123456— Mixed-case Heroku API key
Should not match
HRKU-tooShort— Too short to be a Heroku API key01234567-89ab-cdef-0123-456789abcdef— Legacy bare-UUID form (no HRKU- prefix) - excluded by designset your heroku api key in the netrc file— Prose mention without a token value
Known false positives
- Documentation or examples showing placeholder HRKU- strings. Mitigation: Require corroborative Heroku keywords and exclude placeholder markers.