What triggers a breach alert
Email alerts (default)
Email alerts are enabled by default for all accounts. Every breach event sends a notification to the address on your account within 30 seconds.
Configure the recipient in Settings → Notifications → Email. You can add up to 5 email recipients per organization.
Webhook alerts
Webhooks fire for every breach event in near-real-time. Configure a webhook endpoint in Settings → Notifications → Webhooks.
{ "event": "breach.attempt", "timestamp": "2026-05-10T14:22:11.341Z", "token_id": "7xKm9Lp2...", "token_name": "Production OpenAI", "origin": "https://malicious-site.com", "ip": "203.0.113.42", "country": "RU", "pop": "AMS", "attempts_in_window": 1}import crypto from "crypto"; export function verifyWebhook(payload: string, signature: string, secret: string) { const expected = crypto .createHmac("sha256", secret) .update(payload) .digest("hex"); return crypto.timingSafeEqual( Buffer.from(signature), Buffer.from(expected) );}Slack alerts
Connect Slack in Settings → Integrations → Slack. Alerts will appear in your chosen channel within 30 seconds of a breach event, formatted with origin, IP, country, and token name.
What to do when you receive an alert
- 1.
Don't panic
The unauthorized request was blocked. Your real API key was never used. No charges to your provider account.
- 2.
Check the origin
The alert includes the origin domain and IP. If it's your own deployment with a misconfigured origin, add the origin to the authorized list.
- 3.
Investigate if persistent
If the same IP keeps attempting, your token may have leaked publicly. Check git history and CI logs.
- 4.
Revoke and reissue if needed
In the dashboard, revoke the token in 2 clicks. Create a new token and update your deployment. The real API key does not need to change.