{"id":1551,"date":"2026-06-03T22:34:58","date_gmt":"2026-06-03T22:34:58","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=1551"},"modified":"2026-06-03T22:34:58","modified_gmt":"2026-06-03T22:34:58","slug":"when-mfa-is-not-enough-tokens-cookies-and-api-keys-as-the-new-access-keys","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2026\/06\/03\/when-mfa-is-not-enough-tokens-cookies-and-api-keys-as-the-new-access-keys\/","title":{"rendered":"When MFA Is Not Enough: Tokens, Cookies, and API Keys as the New Access Keys"},"content":{"rendered":"\n<p>In recent years, Multi-Factor Authentication \u2014better known as <a href=\"https:\/\/www.ibm.com\/mx-es\/think\/topics\/multi-factor-authentication\">MFA<\/a> \u2014 has become one of the main recommendations for protecting corporate accounts, web applications, cloud services, development platforms, and administrative access to critical infrastructure. The logic is simple: even if an adversary obtains the password, they will need a second mechanism to successfully gain access.<\/p>\n\n\n\n<p>In this context, application security testing, architecture reviews, and incident <a href=\"https:\/\/www.obsidiansecurity.com\/blog\/token-based-attacks-how-attackers-bypass-mfa\">investigations<\/a>, as well as research conducted by the Cyber Threat Research team at the Scitum Innovation Center, show an increasingly frequent pattern: many modern attacks no longer seek to compromise MFA, but to bypass it entirely. To do so, adversaries target the elements generated after the user has already authenticated successfully: <a href=\"https:\/\/www.ibm.com\/docs\/es\/sva\/11.0.0?topic=cookies-session-concepts\">session cookies<\/a>, <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc6749\">OAuth 2.0 tokens<\/a>, <a href=\"https:\/\/www.obsidiansecurity.com\/blog\/sso-bypass-attack-techniques\">SSO (Single Sign-On)<\/a>, <a href=\"https:\/\/portswigger.net\/web-security\/jwt\">JWT (JSON Web Token)<\/a>, <a href=\"https:\/\/www.oauth.com\/oauth2-servers\/definitions\/\">access and refresh tokens<\/a>, and <a href=\"https:\/\/www.akamai.com\/glossary\/what-are-api-attacks\">API keys<\/a>.<\/p>\n\n\n\n<p>These elements function as access artifacts. If they are valid, the application or API assumes that whoever presents them is the authorized user, application, or service. Therefore, when an adversary obtains them, they can access protected resources without knowing the password and without going through multifactor authentication again.<\/p>\n\n\n\n<p>The objective of this article is to explain, from a technical perspective, why the theft or abuse of tokens, cookies, OAuth, and API keys represents a design problem in many current architectures, how adversaries are exploiting these weaknesses in recent attacks, and what controls organizations can implement to reduce this risk.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\"><strong><strong>The problem: identity also exists after login<\/strong><\/strong><\/h6>\n\n\n\n<p>When a user logs in to an application, the following usually occurs:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"399\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-1-EN-1-1024x399.png\" alt=\"\" class=\"wp-image-1555\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-1-EN-1-1024x399.png 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-1-EN-1-300x117.png 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-1-EN-1-768x299.png 768w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-1-EN-1.png 1234w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 1 Typical authentication flow<\/figcaption><\/figure>\n\n\n\n<p>This prevents the user from having to enter a password and MFA for every click or interaction with the application, improving usability and the user&#8217;s browsing experience. The problem arises when those elements are treated as portable, reusable, and long-lived values.<\/p>\n\n\n\n<p>In practice, a session object can represent different risks, such as:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Element<\/strong><\/td><td><strong><strong>Common use<\/strong><\/strong><\/td><td><strong><strong>Main risk<\/strong><\/strong><\/td><\/tr><tr><td>Session cookie<\/td><td>Keep the user authenticated in the browser<\/td><td>If stolen, it enables <a href=\"https:\/\/owasp.org\/www-community\/attacks\/Session_hijacking_attack\">session hijacking<\/a> or <a href=\"https:\/\/attack.mitre.org\/techniques\/T1539\/\">cookie hijacking<\/a>.<\/td><\/tr><tr><td>Access token<\/td><td><span class=\"TextRun Highlight SCXW205545380 BCX8\" lang=\"ES-MX\" xml:lang=\"ES-MX\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW205545380 BCX8\">Authorize calls to APIs or endpoints<\/span><\/span><\/td><td>If leaked, it enables access to resources within the authorized scope<\/td><\/tr><tr><td>Refresh token<\/td><td>Renew access tokens without requiring login again<\/td><td>If stolen, it extends the duration of the session stolen by the adversary<\/td><\/tr><tr><td>API key<\/td><td>Authenticate scripts, services, or integrations<\/td><td>If exposed, it enables direct abuse of available endpoints<\/td><\/tr><tr><td>OAuth grant<\/td><td>Authorize a third-party application<\/td><td>If compromised, it can open a persistent access path that could culminate in a supply chain attack<\/td><\/tr><\/tbody><\/table><figcaption class=\"wp-element-caption\">Table 1 Uses vs risks in session elements<\/figcaption><\/figure>\n\n\n\n<p>The key point is this: MFA strengthens authentication, but it does not always protect the subsequent use of the elements issued after access is granted.<\/p>\n\n\n\n<p>Therefore, a useful question for evaluating an application&#8217;s design is not only:<\/p>\n\n\n\n<p>Does the application have MFA?<\/p>\n\n\n\n<p>But also:<\/p>\n\n\n\n<p>What can an adversary do if they obtain a valid cookie, token, refresh token, or API key?<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Session Cookie Theft: the access that the browser stores for us<\/h3>\n\n\n\n<p>Session cookies are one of the most common ways to keep a user authenticated in a web application. Once the user logs in, the server sends a cookie to the browser. In subsequent requests, the browser automatically includes it in the web request headers so that the server recognizes the session as valid.<\/p>\n\n\n\n<p>From the user&#8217;s perspective, this is transparent. From the server&#8217;s perspective, the cookie represents an already authenticated session.<\/p>\n\n\n\n<p>The problem is that many applications do not validate enough context around that cookie. If a malicious user manages to obtain it, they can attempt to reuse it from another browser, another device, or even another region.<\/p>\n\n\n\n<p>These attacks usually look like this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"396\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-2-EN-1024x396.png\" alt=\"\" class=\"wp-image-1556\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-2-EN-1024x396.png 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-2-EN-300x116.png 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-2-EN-768x297.png 768w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-2-EN.png 1234w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 2 Cookie theft attack flow<\/figcaption><\/figure>\n\n\n\n<h6 class=\"wp-block-heading\"><strong><strong>Design lesson<\/strong><\/strong><\/h6>\n\n\n\n<p>MFA protects the user in the event of username and password theft; however, the system trusts the authentication element generated after access. In other words, the second factor has already been provided by the victim. The adversary does not need to repeat it if the application accepts the cookie as sufficient proof of authentication.<\/p>\n\n\n\n<p>In this scenario, OWASP proposes four <a href=\"https:\/\/owasp.org\/www-project-web-security-testing-guide\/latest\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/11-Testing_for_Concurrent_Sessions\">crucial elements<\/a> to mitigate this failure:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>User notifications<\/strong>: Notify users after each successful login so they are aware of active sessions<\/li>\n\n\n\n<li><strong>Session management page<\/strong>: Create a dedicated page to display and allow termination of active sessions, giving the user greater control<\/li>\n\n\n\n<li><strong>IP address tracking<\/strong>: Track the IP addresses of users who log in to an account and detect any suspicious activity, such as multiple logins from different locations<\/li>\n\n\n\n<li><strong>IP address restrictions<\/strong>: Allow users to specify trusted IP addresses or IP address ranges from which they can access their accounts, improving security by restricting sessions to known and approved locations.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Infostealers: when the browser becomes the target<\/h3>\n\n\n\n<p>Another common way to obtain API keys, cookies, and tokens is through infostealer malware. Unlike other threats, this malicious code does not necessarily seek to encrypt files or act as a backdoor; its <a href=\"https:\/\/docs.cyberark.com\/epm\/latest\/en\/content\/featurespotlight\/infostealer-malware.htm\">goal<\/a> is to collect valuable information from the compromised device.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/www.huntress.com\/blog\/why-hackers-don't-need-passwords-anymore\">data<\/a> it may attempt to obtain includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Session cookies<\/li>\n\n\n\n<li><a href=\"https:\/\/www.kaseya.com\/blog\/what-is-token-theft\/\">Locally stored tokens<\/a><\/li>\n\n\n\n<li>Saved passwords<\/li>\n\n\n\n<li>Browsing history<\/li>\n\n\n\n<li>Digital wallet information<\/li>\n\n\n\n<li>Configuration files<\/li>\n\n\n\n<li>Environment variables<\/li>\n\n\n\n<li>Development tool credentials<\/li>\n<\/ul>\n\n\n\n<p>This type of malware is especially <a href=\"https:\/\/threatresearch.ext.hp.com\/tracing-the-rise-of-breaches-involving-session-cookie-theft\/\">dangerous<\/a> on workstations used by developers, system administrators, support teams, and users with access to multiple <a href=\"https:\/\/aws.amazon.com\/es\/what-is\/saas\/\">SaaS<\/a> applications, because of the number of access artifacts stored on those devices.<\/p>\n\n\n\n<p>These attacks usually look like this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"401\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-3-EN-1024x401.png\" alt=\"\" class=\"wp-image-1557\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-3-EN-1024x401.png 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-3-EN-300x117.png 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-3-EN-768x301.png 768w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-3-EN.png 1234w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 3 Infostealer attack flow<\/figcaption><\/figure>\n\n\n\n<h6 class=\"wp-block-heading\"><strong><strong>Design lesson<\/strong><\/strong><\/h6>\n\n\n\n<p>Many active sessions live in the browser. If the user is already logged in to email, cloud tenants or consoles, repositories, internal applications, and collaboration tools, the device becomes a concentration point for multiple access paths.<\/p>\n\n\n\n<p>For this reason, protecting identity no longer means focusing only on protecting the authentication method. It also means protecting the user&#8217;s device, browser, extensions, integrations, and installed software, in addition to having an identity management provider.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">AiTM Attacks: when the attacker positions themselves in the middle of the login process<\/h3>\n\n\n\n<p>Another relevant technique related to this problem is the Adversary-in-the-Middle, or AiTM, attack. Unlike traditional phishing, which tries to trick the user with a fake page, this <a href=\"https:\/\/attack.mitre.org\/techniques\/T1557\/\">type<\/a> of <a href=\"https:\/\/www.group-ib.com\/resources\/knowledge-hub\/aitm-attack\/\">attack<\/a> can operate as an intermediary or proxy between the victim and the legitimate site.<\/p>\n\n\n\n<p>The user believes they are interacting with the real service, enters their credentials, and completes MFA. Meanwhile, the legitimate service validates the authentication and issues the session. Because the adversary is positioned in the middle of the flow, they can capture cookies or tokens issued during the process.<\/p>\n\n\n\n<p>The result is concerning: the user sees a successful login, while the adversary has already obtained the elements required to also have an <a href=\"https:\/\/www.obsidiansecurity.com\/blog\/token-based-attacks-how-attackers-bypass-mfa\">authenticated session<\/a>.<\/p>\n\n\n\n<p>This model has been used by phishing-as-a-service <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/06\/ai-enabled-device-code-phishing-campaign-april-2026\/\">campaigns<\/a> in recent years where attackers do not need to develop the entire infrastructure from scratch; they only need to intercept the authentication request. In other words, instead of stealing only passwords, the goal is to capture valid sessions.<\/p>\n\n\n\n<p>AiTM attacks usually look like this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"521\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-4-EN-1024x521.png\" alt=\"\" class=\"wp-image-1558\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-4-EN-1024x521.png 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-4-EN-300x153.png 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-4-EN-768x391.png 768w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-4-EN.png 1158w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 4 Flow of an AiTM attack<\/figcaption><\/figure>\n\n\n\n<h6 class=\"wp-block-heading\"><strong><strong>Design lesson<\/strong><\/strong><\/h6>\n\n\n\n<p>MFA based on codes, push notifications, or simple approvals may be insufficient against attacks that intercept the authentication flow. In these cases, phishing-resistant controls, such as <a href=\"http:\/\/[1] https:\/\/www.microsoft.com\/es-mx\/security\/business\/security-101\/what-is-fido2\">FIDO2<\/a> or <a href=\"https:\/\/developers.google.com\/identity\/passkeys?hl=es-419\">passkeys<\/a> with origin validation, provide a better defense because authentication is cryptographically bound to the legitimate domain.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">OAuth Abuse: when delegated trust becomes an attack surface<\/h3>\n\n\n\n<p>OAuth allows an application to access resources on behalf of the user without sharing the password. It is a key component of modern integration across platforms: email, cloud storage, calendars, code repositories, <a href=\"https:\/\/www.redhat.com\/en\/topics\/devops\/what-is-ci-cd\">CI\/CD<\/a> tools, and SaaS applications.<\/p>\n\n\n\n<p>OAuth security failures do not lie in its architecture, but in its use without adequate governance.<\/p>\n\n\n\n<p>When a user authorizes an OAuth application, they may grant it permissions such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Read email<\/li>\n\n\n\n<li>Read or modify files<\/li>\n\n\n\n<li>Access repositories<\/li>\n\n\n\n<li>View profile information<\/li>\n\n\n\n<li>Keep access without user interaction through refresh tokens<\/li>\n<\/ul>\n\n\n\n<p>If an authorized OAuth application is compromised, or if the user grants access to a malicious application, the adversary can obtain persistent access without needing to acquire the user&#8217;s password.<\/p>\n\n\n\n<p>In corporate environments, many SaaS applications connect to each other through OAuth, allowing a provider\/third party to access different services such as Google Workspace, Microsoft 365, GitHub, Slack, Jira, Vercel, among others, as well as internal tools. This creates a chain of trust. If one link is compromised, the impact can spread &#8211; or become a supply chain attack &#8211; to platforms that were not directly attacked, something observed in <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/d\/vercel-breach-oauth-supply-chain.html\">recent attacks<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"493\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-5-EN-1024x493.png\" alt=\"\" class=\"wp-image-1559\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-5-EN-1024x493.png 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-5-EN-300x145.png 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-5-EN-768x370.png 768w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-5-EN.png 1127w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 5 Flow of an OAuth theft attack<\/figcaption><\/figure>\n\n\n\n<p>The risk is aggravated when organizations do not have an inventory of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Authorized OAuth applications<\/li>\n\n\n\n<li>Users who granted permissions<\/li>\n\n\n\n<li>Granted scopes<\/li>\n\n\n\n<li>Authorization date<\/li>\n\n\n\n<li>Recent token use<\/li>\n\n\n\n<li>Applications without a clear owner<\/li>\n\n\n\n<li>Integrations that are no longer used<\/li>\n<\/ul>\n\n\n\n<h6 class=\"wp-block-heading\"><strong>Design lesson<\/strong><\/h6>\n\n\n\n<p>An OAuth application used in the organization should not be seen as a simple user preference. It should be treated as a provider with access to corporate data. This implies review, approval, monitoring, expiration, and periodic revocation.<\/p>\n\n\n\n<p>Additionally, it should be kept in mind that authorization granted to a compromised third-party application can always become an entry vector into your organization.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Device Code Flow: a legitimate flow with potential for abuse<\/h3>\n\n\n\n<p>OAuth also includes <a href=\"https:\/\/oauth.net\/2\/device-flow\/\">flows<\/a> designed for devices with limited input capabilities, such as televisions, consoles, printers, or devices without keyboards. One of these is <a href=\"https:\/\/auth0.com\/docs\/get-started\/authentication-and-authorization-flow\/device-authorization-flow\">Device Code Flow<\/a>.<\/p>\n\n\n\n<p>The legitimate flow works as follows:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"399\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-6-EN-1024x399.png\" alt=\"\" class=\"wp-image-1560\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-6-EN-1024x399.png 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-6-EN-300x117.png 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-6-EN-768x299.png 768w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-6-EN.png 1199w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 6 Legitimate operation of Device Code Flow<\/figcaption><\/figure>\n\n\n\n<p>The problem arises when the device that initiated the flow does not belong to the user, but to the adversary. In that scenario, the victim may enter an adversary&#8217;s code on a legitimate page from the identity provider, complete MFA, and approve the request without realizing that they have granted a valid session to the malicious actor.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"427\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-7-EN-1024x427.png\" alt=\"\" class=\"wp-image-1561\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-7-EN-1024x427.png 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-7-EN-300x125.png 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-7-EN-768x321.png 768w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-7-EN.png 1241w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 7 Flow of a Device Code Flow-based attack<\/figcaption><\/figure>\n\n\n\n<p>This technique is especially dangerous because the user may see a legitimate domain in the browser. As a result, the victim is not necessarily entering their password on a fake page; they are completing a real flow that was initiated with malicious intent, as observed in recent campaigns such as <em><a href=\"https:\/\/www.ic3.gov\/PSA\/2026\/PSA260521\">EvilTokens<\/a><\/em> analyzed by the Scitum Innovation Center.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\"><strong>Design lesson<\/strong><\/h6>\n\n\n\n<p>Flows that generate one-time access codes should be restricted. When they are required, they must be subject to conditional access, monitoring, and revocation after use. The user must understand that entering an unsolicited device code may be equivalent to authorizing a third-party session.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">API Keys: access used by devices that does not require MFA<\/h3>\n\n\n\n<p>API keys are common in integrations, automations, scripts, <a href=\"https:\/\/auth0.com\/blog\/api-key-security-for-ai-agents\/\">agents<\/a>, <a href=\"https:\/\/techdocs.broadcom.com\/us\/en\/vmware-cis\/aria\/aria-automation\/8-14\/using-pipelines-on-prem-master-map-8-14\/tutorials\/how-do-i-use-a-rest-api-to-integrate-vmware-code-stream-with-other-applications.html\">pipelines, and backend applications<\/a>. Their advantage is that they are simple to use; their <a href=\"https:\/\/api7.ai\/blog\/disadvantages-of-api-keys\">disadvantage<\/a> is that whoever knows the API key has the access.<\/p>\n\n\n\n<p>It should be noted that an API key generally does not require MFA. Therefore, if it is leaked in a repository, configuration file, environment variable, log, browser extension, or development tool, the adversary can reuse the API directly against the endpoints.<\/p>\n\n\n\n<p>The most <a href=\"https:\/\/nordicapis.com\/10-security-issues-with-api-keys\/\">common security failures<\/a> include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keys explicitly declared (hardcoded) in source code<\/li>\n\n\n\n<li>Keys accidentally published in repositories<\/li>\n\n\n\n<li>Keys in frontend or mobile applications<\/li>\n\n\n\n<li>Environment variables visible to more users than necessary<\/li>\n\n\n\n<li>Keys without rotation<\/li>\n\n\n\n<li>Keys with excessive permissions<\/li>\n\n\n\n<li>Lack of monitoring for use or anomalous behavior<\/li>\n\n\n\n<li>Lack of separation between development, testing, and production<\/li>\n<\/ul>\n\n\n\n<p>An API key with broad permissions can <a href=\"https:\/\/www.obsidiansecurity.com\/blog\/small-tools-big-risk-when-browser-extensions-start-stealing-api-keys\">become a master key<\/a>. For example, a key used to query data may not seem critical, but if it also allows writing, deletion, or administration, the impact changes completely.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1016\" height=\"516\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-8-EN.png\" alt=\"\" class=\"wp-image-1562\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-8-EN.png 1016w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-8-EN-300x152.png 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig-8-EN-768x390.png 768w\" sizes=\"auto, (max-width: 1016px) 100vw, 1016px\" \/><figcaption class=\"wp-element-caption\">Figure 8 Flow of an API key theft-based attack<\/figcaption><\/figure>\n\n\n\n<h6 class=\"wp-block-heading\"><strong>Design lesson<\/strong><\/h6>\n\n\n\n<p>API keys must be treated as high-value secrets. They should not be permanent by default, should not have global permissions, and should not be stored in locations where multiple users, tools, malware, or processes can read them without control.<\/p>\n\n\n\n<p>Additionally, the <a href=\"https:\/\/auth0.com\/blog\/oauth2-access-tokens-and-principle-of-least-privilege\/\">principle of least privilege<\/a> must also be applied to device identities.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Recommendations<\/h2>\n\n\n\n<p>There is no single control that solves all of these scenarios. Defense must combine protection focused on people, processes, and technology. The following recommendations focus on these aspects.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Technology-focused<\/h5>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong><strong>Phishing-resistant MFA<\/strong><\/strong><\/li>\n<\/ol>\n\n\n\n<p>Whenever possible, and in highly critical applications, prioritize FIDO2, security keys, or passkeys. These methods validate the origin of the authentication and reduce the risk of AiTM attacks compared with elements such as SMS, OTP, or simple push approvals.<\/p>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong><strong>Conditional access and continuous evaluation<\/strong><\/strong><\/li>\n<\/ol>\n\n\n\n<p>Sessions should be evaluated with additional signals, for example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Managed device<\/li>\n\n\n\n<li>Security posture compliance<\/li>\n\n\n\n<li>Location<\/li>\n\n\n\n<li>ASN or source network<\/li>\n\n\n\n<li>User risk<\/li>\n\n\n\n<li>Sign-in risk<\/li>\n\n\n\n<li>User-Agent changes<\/li>\n\n\n\n<li>Use from atypical countries or regions<\/li>\n\n\n\n<li>Impossible travel events<\/li>\n<\/ul>\n\n\n\n<p>When the context changes, the session should force re-authentication or be revoked.<\/p>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong><strong>Reducing token lifetime<\/strong><\/strong><\/li>\n<\/ol>\n\n\n\n<p>Access tokens should be short-lived. Refresh tokens should have <a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Session_Management_Cheat_Sheet.html\">policies<\/a> for expiration, rotation, revocation, and reuse detection.<\/p>\n\n\n\n<p>A long-lived token equals a broader attack window.<\/p>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong> <strong>Cookie protection<\/strong><\/strong><\/li>\n<\/ol>\n\n\n\n<p>Applications should use attributes and controls such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Secure<\/li>\n\n\n\n<li>HttpOnly<\/li>\n\n\n\n<li>SameSite<\/li>\n\n\n\n<li>Secure prefixes where applicable<\/li>\n\n\n\n<li>Idle expiration<\/li>\n\n\n\n<li>Absolute expiration<\/li>\n\n\n\n<li>Session regeneration after privilege changes<\/li>\n\n\n\n<li>Re-authentication for sensitive operations<\/li>\n\n\n\n<li>Detection of abrupt changes in IP, device, or User-Agent<\/li>\n<\/ul>\n\n\n\n<p>These controls do not eliminate all risks, but they reduce the impact of common attacks.<\/p>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong> <strong>Device-bound or client-bound tokens<\/strong><\/strong><\/li>\n<\/ol>\n\n\n\n<p>When supported by the platform, evaluate mechanisms such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.verify.ibm.com\/ibm-security-verify-access\/docs\/tasks-certboundaccesstoken\">Sender-constrained tokens<\/a><a name=\"_ftnref2\" href=\"#_ftn2\"><\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/oauth.net\/2\/dpop\/\">Demonstrating Proof-of-Possession (DPoP)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.cloudflare.com\/es-es\/learning\/access-management\/what-is-mutual-tls\/\">TLS mutuo (mTLS)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/blog.google\/security\/protecting-cookies-with-device-bound-session-credentials\/\">Device-bound sessions\/credentials (DBSC)<\/a><\/li>\n\n\n\n<li>Client certificates<\/li>\n\n\n\n<li>Hardware-bound session controls<\/li>\n<\/ul>\n\n\n\n<p>The idea is to reduce token portability. A stolen token should be useless outside the context in which it was issued.<\/p>\n\n\n\n<ol start=\"6\" class=\"wp-block-list\">\n<li><strong><strong>OAuth governance<\/strong><\/strong><\/li>\n<\/ol>\n\n\n\n<p>Organizations must <a href=\"https:\/\/developers.google.com\/identity\/protocols\/oauth2\/resources\/best-practices\">keep control<\/a> over:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Authorized OAuth applications<\/li>\n\n\n\n<li>Allowed scopes<\/li>\n\n\n\n<li>User awareness<\/li>\n\n\n\n<li>Definition of high-risk applications<\/li>\n\n\n\n<li><a href=\"https:\/\/graphpermissions.merill.net\/permission\/offline_access\">offline_access permissions<\/a><\/li>\n\n\n\n<li>Applications with unused authorization or that have not been used recently<\/li>\n\n\n\n<li>Third-party integrations<\/li>\n\n\n\n<li>Internal owners for each integration<\/li>\n<\/ul>\n\n\n\n<p>It is also recommended to block user consent for high-impact permissions and require administrative approval in high-risk applications such as Office 365.<\/p>\n\n\n\n<ol start=\"7\" class=\"wp-block-list\">\n<li><strong><strong>Device Code Flow restriction<\/strong><\/strong><\/li>\n<\/ol>\n\n\n\n<p>If the organization does not need Device Code Flow, it should block it. If it does need it, it should limit it to specific users, groups, applications, or devices.<\/p>\n\n\n\n<p>Alerts should also exist for authentications through this flow when they do not match the user&#8217;s normal profile.<\/p>\n\n\n\n<p>Some indicators that can help identify Device Code Flow abuse include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Device flow authentications by users who do not usually use that type of device<\/li>\n\n\n\n<li>Code requests following clicks in external emails<\/li>\n\n\n\n<li>Tokens issued to applications that are not allowed<\/li>\n\n\n\n<li>Subsequent access from unusual infrastructure (<a href=\"https:\/\/www.isaca.org\/resources\/isaca-journal\/issues\/2016\/volume-5\/geolocationthe-risk-and-benefits-of-a-trending-technology\">use of geolocation<\/a>)<\/li>\n\n\n\n<li>Sudden increase in operations via API, for example, reading email or files<\/li>\n<\/ul>\n\n\n\n<ol start=\"8\" class=\"wp-block-list\">\n<li><strong><strong>Secure API key management<\/strong><\/strong><\/li>\n<\/ol>\n\n\n\n<p>API keys should be stored in secret vaults, not in source code or local files. In addition, they should have:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Minimum scope<\/li>\n\n\n\n<li>Environment separation<\/li>\n\n\n\n<li>Periodic rotation<\/li>\n\n\n\n<li>Expiration<\/li>\n\n\n\n<li>Usage monitoring<\/li>\n\n\n\n<li>IP restriction, when possible<\/li>\n\n\n\n<li>Alerts for anomalous use<\/li>\n\n\n\n<li>Rapid revocation<\/li>\n<\/ul>\n\n\n\n<p>When feasible, it is recommended to replace static API keys with <a href=\"https:\/\/www.paloaltonetworks.lat\/cyberpedia\/what-is-workload\">workload<\/a> identities, federated credentials, or <a href=\"https:\/\/www.okta.com\/identity-101\/whats-the-difference-between-oauth-openid-connect-and-saml\/\">OAuth\/OIDC\/SAML<\/a> with short-lived tokens.<\/p>\n\n\n\n<ol start=\"9\" class=\"wp-block-list\">\n<li><strong><strong><strong>Device and browser security<\/strong><\/strong><\/strong><\/li>\n<\/ol>\n\n\n\n<p>The device should be seen as part of the identity plane. Relevant controls include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>EDR with infostealer detection<\/li>\n\n\n\n<li>Blocking execution from temporary locations<\/li>\n\n\n\n<li>Restriction of unauthorized PowerShell<\/li>\n\n\n\n<li>USB device control<\/li>\n\n\n\n<li>Local privilege management<\/li>\n\n\n\n<li>Updated browsers<\/li>\n\n\n\n<li>Extension control<\/li>\n\n\n\n<li>Separation of personal and corporate profiles<\/li>\n\n\n\n<li>Monitoring of attempts to access cookie or credential stores<\/li>\n<\/ul>\n\n\n\n<ol start=\"10\" class=\"wp-block-list\">\n<li><strong> <strong>Token-oriented detection<\/strong><\/strong><\/li>\n<\/ol>\n\n\n\n<p>Many organizations investigate compromises as if everything started with a password. In modern attacks, this can be insufficient.<\/p>\n\n\n\n<p>Some signals to monitor include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use of a refresh token from a new location<\/li>\n\n\n\n<li>Token used from an unmanaged device<\/li>\n\n\n\n<li>Unusual OAuth consent<\/li>\n\n\n\n<li>Mass reading of email or files via API<\/li>\n\n\n\n<li>Creation of mailbox rules after a suspicious login<\/li>\n\n\n\n<li>Mass enumeration of environment variables<\/li>\n\n\n\n<li>Use of an API key from an unusual IP address or region<\/li>\n\n\n\n<li>Sudden increase in errors and successes on sensitive endpoints<\/li>\n\n\n\n<li>Access to repositories or secrets outside normal hours<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h5 class=\"wp-block-heading\"><strong><strong>Process-focused<\/strong><\/strong><\/h5>\n\n\n\n<p><strong><strong>Inventory of sessions, tokens, and applications<\/strong><\/strong><\/p>\n\n\n\n<p>You cannot protect what you do not know. Organizations should maintain inventories of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Applications connected through OAuth<\/li>\n\n\n\n<li>Active API keys<\/li>\n\n\n\n<li>Secrets in CI\/CD<\/li>\n\n\n\n<li>Bot tokens<\/li>\n\n\n\n<li>Service accounts<\/li>\n\n\n\n<li>Integrations between SaaS applications<\/li>\n\n\n\n<li>Users with permissions to create or authorize applications<\/li>\n\n\n\n<li>Locations where environment variables are stored<\/li>\n<\/ul>\n\n\n\n<p><strong><strong>Incident response playbooks<\/strong><\/strong><\/p>\n\n\n\n<p>When session theft is suspected, changing the password is not enough. The playbook should consider:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Revoking active sessions<\/li>\n\n\n\n<li>Revoking refresh tokens<\/li>\n\n\n\n<li>Removing suspicious OAuth consents<\/li>\n\n\n\n<li>Rotating API keys<\/li>\n\n\n\n<li>Rotating CI\/CD secrets<\/li>\n\n\n\n<li>Reviewing mailbox rules<\/li>\n\n\n\n<li>Reviewing connected applications<\/li>\n\n\n\n<li>Looking for access via API<\/li>\n\n\n\n<li>Reviewing repositories and environment variables<\/li>\n\n\n\n<li>Triaging the user&#8217;s device<\/li>\n\n\n\n<li>Validating persistence in SaaS<\/li>\n<\/ul>\n\n\n\n<p><strong><strong>Periodic permission review<\/strong><\/strong><\/p>\n\n\n\n<p>Granted permissions tend to grow over time. Therefore, it is recommended to periodically review:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OAuth scopes<\/li>\n\n\n\n<li>Unused applications<\/li>\n\n\n\n<li>API keys without an owner<\/li>\n\n\n\n<li>Old secrets<\/li>\n\n\n\n<li>Service accounts with excessive privileges<\/li>\n\n\n\n<li>Provider integrations that are no longer necessary<\/li>\n<\/ul>\n\n\n\n<p><strong><strong>Vendor management<\/strong><\/strong><\/p>\n\n\n\n<p>A provider with OAuth or API access to corporate data should be assessed as a third party with privileged access. This includes security controls, incident notification, credential rotation, access limits, and contractual review.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h5 class=\"wp-block-heading\"><strong><strong>People-focused<\/strong><\/strong><\/h5>\n\n\n\n<p><strong><strong>Awareness beyond the password<\/strong><\/strong><\/p>\n\n\n\n<p>For years, training focused on &#8220;do not share your password.&#8221; Today, that message is insufficient.<\/p>\n\n\n\n<p>Users should also know that:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Entering an unsolicited device code can authorize access for an adversary<\/li>\n\n\n\n<li>An unexpected MFA approval should be reported<\/li>\n\n\n\n<li>An application requesting excessive permissions can be risky<\/li>\n\n\n\n<li>Browser extensions can pose risks<\/li>\n\n\n\n<li>An open Wi-Fi network or captive portal can be part of an attack<\/li>\n\n\n\n<li>Downloading unverified tools can compromise existing sessions<\/li>\n\n\n\n<li>A token or API key must be protected like a password<\/li>\n<\/ul>\n\n\n\n<p>Awareness should include examples of modern attacks, not only traditional phishing.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Questions for CISOs to assess the organization&#8217;s exposure level<\/h2>\n\n\n\n<p>The following questions can help identify risks:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Do we know which OAuth 2.0 applications have access to our data?<\/li>\n\n\n\n<li>Can users authorize applications without review?<\/li>\n\n\n\n<li>Do we have Device Code Flow enabled even though we do not use it?<\/li>\n\n\n\n<li>Can we quickly revoke sessions and refresh tokens?<\/li>\n\n\n\n<li>Do we know where our API keys are stored?<\/li>\n\n\n\n<li>Do API keys have an owner, scope, and expiration date?<\/li>\n\n\n\n<li>Do we detect token use from unusual locations?<\/li>\n\n\n\n<li>Do we have alerts for mass reading via API?<\/li>\n\n\n\n<li>Do we review browser extensions on corporate devices?<\/li>\n\n\n\n<li>Is the device part of our identity protection strategy?<\/li>\n\n\n\n<li>Are sensitive environment variables protected by default?<\/li>\n\n\n\n<li>Are providers with OAuth access assessed as critical third parties?<\/li>\n<\/ol>\n\n\n\n<p>If the answer to several of these questions is &#8220;no,&#8221; there is likely a gap between the identity strategy and operational reality.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Lessons learned<\/h2>\n\n\n\n<p>Recent attacks in which we observed the techniques discussed in this article leave several important lessons learned:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MFA remains necessary, but it is not sufficient<\/li>\n\n\n\n<li>An authenticated session can be more valuable than a password<\/li>\n\n\n\n<li>OAuth must be governed as a trust relationship with third parties<\/li>\n\n\n\n<li>API keys are machine identities and must be managed as critical secrets<\/li>\n\n\n\n<li>The browser is part of the attack surface<\/li>\n\n\n\n<li>The endpoint is part of the identity plane<\/li>\n\n\n\n<li>Changing passwords does not resolve a compromise if tokens remain active<\/li>\n\n\n\n<li>Detection must focus on behavior, not only login events<\/li>\n\n\n\n<li>Sessions must be validated continuously<\/li>\n\n\n\n<li>Security by default matters: if a secret has to be manually marked as sensitive, eventually someone will fail to do so<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><strong>Conclusion<\/strong><\/strong><\/h2>\n\n\n\n<p>For a long time, it was assumed that protecting the login was enough. Username, password, and MFA seemed to close the front door. However, modern applications operate with sessions, tokens, integrations, API keys, and secrets distributed across multiple platforms.<\/p>\n\n\n\n<p>Adversaries understood this. That is why many current attacks no longer try to guess passwords. They look for cookies, OAuth tokens, refresh tokens, abusive consents, and exposed API keys. In other words, they look for the keys generated after authentication has already occurred.<\/p>\n\n\n\n<p>The solution is not to abandon MFA, but to complement it with a broader strategy: phishing-resistant MFA, less portable sessions, short-lived tokens, OAuth governance, comprehensive device protection, secure secrets management, continuous monitoring, and incident response focused on access revocation.<\/p>\n\n\n\n<p>In cybersecurity, a valid session can be as powerful as a password. In addition, token abuse is lethal because, from the perspective of traditional IdP logs, the attacker&#8217;s traffic looks exactly like legitimate traffic. Therefore, organizations must stop protecting only the moment of login and start protecting the entire identity lifecycle.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In recent years, Multi-Factor Authentication \u2014better known as MFA \u2014 has become one of the main recommendations for protecting corporate<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1551","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1551","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=1551"}],"version-history":[{"count":3,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1551\/revisions"}],"predecessor-version":[{"id":1564,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1551\/revisions\/1564"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=1551"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=1551"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=1551"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}