Inventory of API tokens / PATs
Demonstrate that the organization maintains a comprehensive, up-to-date inventory of all API tokens and personal access tokens with documented ownership, scope, and lifecycle metadata.
Description
What this control does
This control requires maintaining a complete, centralized inventory of all API tokens, personal access tokens (PATs), and service account credentials used across systems, applications, and cloud environments. The inventory should document token purpose, scope, ownership, creation date, expiration status, and last-use timestamp. Organizations must implement automated discovery mechanisms to detect untracked tokens and enforce registration requirements before tokens are issued. This control is critical because API tokens often possess powerful privileges and are frequently over-permissioned, long-lived, or orphaned when employees leave or projects end.
Control objective
What auditing this proves
Demonstrate that the organization maintains a comprehensive, up-to-date inventory of all API tokens and personal access tokens with documented ownership, scope, and lifecycle metadata.
Associated risks
Risks this control addresses
- Attackers exploit orphaned or forgotten tokens that retain elevated privileges long after their original use case has ended
- Former employees or contractors retain valid tokens after offboarding, maintaining unauthorized access to production systems
- Shadow IT generates untracked tokens with excessive permissions that bypass approval workflows and logging requirements
- Stolen tokens remain active indefinitely because no expiration enforcement or rotation policy exists for undocumented credentials
- Security teams cannot identify or revoke compromised tokens during incident response because no central registry exists
- Over-permissioned tokens grant unnecessary access because scope creep occurs without periodic review or least-privilege validation
- Compliance violations occur when auditors cannot trace API access to authorized personnel or business purposes
Testing procedure
How an auditor verifies this control
- Obtain the organization's current API token and PAT inventory from the designated system of record (spreadsheet, CMDB, secrets management platform, or identity governance tool).
- Review the inventory schema to verify it captures token identifier, owner name or service account, creation date, expiration date, scope/permissions, associated system or application, and last-use timestamp.
- Select three critical systems or cloud platforms (e.g., GitHub, AWS, Azure DevOps, Salesforce) and query their native token management interfaces to export all active tokens.
- Compare exported token lists against the centralized inventory to identify any tokens present in production systems but absent from the inventory documentation.
- Select a sample of 15-20 tokens from the inventory spanning multiple systems and verify each entry's metadata by cross-referencing with source system records and owner confirmation.
- Interview token owners or administrators to confirm understanding of token purpose, validate current business need, and assess whether permissions align with documented scope.
- Review automated discovery mechanisms (scanning scripts, API integrations, or governance tools) and examine execution logs from the past 30 days to verify continuous monitoring is operational.
- Test token lifecycle procedures by requesting evidence of at least three recent token deprovisioning events triggered by employee offboarding or project closure, verifying removal from both inventory and production systems.
Where this control is tested