SendGrid API Key
Detects SendGrid (Twilio SendGrid) API keys, formatted as SG. then a 22-character key id, a dot, and a 43-character secret. A leaked key allows sending email and reading account data through the SendGrid API.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the SG. prefix with two fixed-length base64url segments separated by a dot is a distinctive SendGrid structure with very low false-positive risk.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 8
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9])SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}(?![A-Za-z0-9])Corroborative evidence keywords
sendgrid, twilio sendgrid, api key, SENDGRID_API_KEY, mail send, bearer token, smtp
Proximity: 300 characters
Should match
SG.ABCDEFGHIJKLMNOPQRSTUV.ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopq— SendGrid API key, SG. + 22 + . + 43SENDGRID_API_KEY=SG.zZyYxXwWvVuUtTsSrR0_-1.zZyYxXwWvVuUtTsSrRqQpPoOnNmMlLk0123456789_-— Labelled SendGrid key in an env assignmentSG.aB3dE6gH9jK2mN5pQ8sT1u.aB3dE6gH9jK2mN5pQ8sT1uV4wX7yZ0aB3dE6gH9jK2m— Mixed-case SendGrid key
Should not match
SG.ABCDEFGHIJKLMNOPQRSTUV.TOOSHORT— Second segment too short to be a valid SendGrid secretSK.ABCDEFGHIJKLMNOPQRSTUV.ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopq— Wrong prefix (SK. instead of SG.)set the sendgrid api key in your mail send configuration— Prose mention without a token value
Known false positives
- Documentation or examples showing placeholder SG. strings. Mitigation: Require corroborative keywords and check for placeholder markers (example, xxxx).