Support api key exposure event (#209)

willme-paddle · davidgrayston-paddle · web-flow · commit 2d9185248387 · 2026-02-03T09:46:45.000Z
* feat: Add ApiKeyExposure enums and notification handling

* Introduced new enums for ApiKeyExposure including action taken, risk level, and source.
* Added ApiKeyExposureNotification class to handle notifications related to API key exposure.
* Implemented ApiKeyExposureCreatedEvent for event handling.
* Updated relevant index files to export new types and classes.
* Enhanced event handling to include ApiKeyExposureCreated events.

* test: Add mock for ApiKeyExposureCreated notification

* Introduced ApiKeyExposureCreatedMock and ApiKeyExposureCreatedMockExpectation for testing.
* Updated notifications-parser tests to include the new ApiKeyExposureCreated mock data.

* chore: Update CHANGELOG to include support for `api_key_exposure.created` event

* Update CHANGELOG.md

Co-authored-by: davidgrayston-paddle &lt;david.grayston@paddle.com&gt;

---------

Co-authored-by: davidgrayston-paddle &lt;david.grayston@paddle.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,6 +25,7 @@ adding additional type guards.
 ### Added
 
 - Added support for `wechat_pay` payment method.
+- Added support for `api_key_exposure.created` event. See [related changelog](https://developer.paddle.com/api-reference/about/api-keys?utm_source=dx&utm_medium=paddle-node-sdk#secret-scanning).
 
 ---
 
diff --git a/src/__tests__/mocks/notifications/api-key-exposure-created.mock.ts b/src/__tests__/mocks/notifications/api-key-exposure-created.mock.ts
@@ -0,0 +1,42 @@
+/**
+ *  ! Autogenerated code !
+ *  Do not make changes to this file.
+ *  Changes may be overwritten as part of auto-generation.
+ */
+
+import { type IEventsResponse } from '../../../types/index.js';
+import { IApiKeyExposureNotificationResponse } from '../../../notifications/index.js';
+
+export const ApiKeyExposureCreatedMock: IEventsResponse<IApiKeyExposureNotificationResponse> = {
+  event_id: 'evt_01jkdr0rc527wcjdg1txsdxhtg',
+  event_type: 'api_key_exposure.created',
+  occurred_at: '2025-06-24T12:58:38.746382Z',
+  notification_id: 'ntf_01jkdr1mgbe62eqkh3p0fq8b0w',
+  data: {
+    id: 'apikeyexp_01jkdpbhazdpn3wpcya45as9tg',
+    api_key_id: 'apikey_01jkdpbhazdpn3wpcya45as9tg',
+    risk_level: 'high',
+    action_taken: 'revoked',
+    source: 'github',
+    reference: 'https://github.com/example/repo/blob/main/config.js',
+    description: 'API key found exposed in public GitHub repository.',
+    created_at: '2025-06-24T12:58:38.746382Z',
+  },
+};
+
+export const ApiKeyExposureCreatedMockExpectation = {
+  eventId: 'evt_01jkdr0rc527wcjdg1txsdxhtg',
+  eventType: 'api_key_exposure.created',
+  occurredAt: '2025-06-24T12:58:38.746382Z',
+  notificationId: 'ntf_01jkdr1mgbe62eqkh3p0fq8b0w',
+  data: {
+    id: 'apikeyexp_01jkdpbhazdpn3wpcya45as9tg',
+    apiKeyId: 'apikey_01jkdpbhazdpn3wpcya45as9tg',
+    riskLevel: 'high',
+    actionTaken: 'revoked',
+    source: 'github',
+    reference: 'https://github.com/example/repo/blob/main/config.js',
+    description: 'API key found exposed in public GitHub repository.',
+    createdAt: '2025-06-24T12:58:38.746382Z',
+  },
+};
diff --git a/src/__tests__/notifications/notifications-parser.test.ts b/src/__tests__/notifications/notifications-parser.test.ts
@@ -14,6 +14,10 @@ import { ApiKeyExpiredMock, ApiKeyExpiredMockExpectation } from '../mocks/notifi
 import { ApiKeyRevokedMock, ApiKeyRevokedMockExpectation } from '../mocks/notifications/api-key-revoked.mock.js';
 import { ApiKeyExpiringMock, ApiKeyExpiringMockExpectation } from '../mocks/notifications/api-key-expiring.mock.js';
 import { ApiKeyUpdatedMock, ApiKeyUpdatedMockExpectation } from '../mocks/notifications/api-key-updated.mock.js';
+import {
+  ApiKeyExposureCreatedMock,
+  ApiKeyExposureCreatedMockExpectation,
+} from '../mocks/notifications/api-key-exposure-created.mock.js';
 import { BusinessCreatedMock, BusinessCreatedMockExpectation } from '../mocks/notifications/business-created.mock.js';
 import { BusinessUpdatedMock, BusinessUpdatedMockExpectation } from '../mocks/notifications/business-updated.mock.js';
 import {
@@ -159,6 +163,7 @@ describe('Notifications Parser', () => {
     [ApiKeyExpiringMock.event_type, ApiKeyExpiringMock, ApiKeyExpiringMockExpectation],
     [ApiKeyRevokedMock.event_type, ApiKeyRevokedMock, ApiKeyRevokedMockExpectation],
     [ApiKeyUpdatedMock.event_type, ApiKeyUpdatedMock, ApiKeyUpdatedMockExpectation],
+    [ApiKeyExposureCreatedMock.event_type, ApiKeyExposureCreatedMock, ApiKeyExposureCreatedMockExpectation],
     [BusinessCreatedMock.event_type, BusinessCreatedMock, BusinessCreatedMockExpectation],
     [BusinessUpdatedMock.event_type, BusinessUpdatedMock, BusinessUpdatedMockExpectation],
     [BusinessImportedMock.event_type, BusinessImportedMock, BusinessImportedMockExpectation],
diff --git a/src/enums/api-key-exposure/action-taken.ts b/src/enums/api-key-exposure/action-taken.ts
@@ -0,0 +1,7 @@
+/**
+ *  ! Autogenerated code !
+ *  Do not make changes to this file.
+ *  Changes may be overwritten as part of auto-generation.
+ */
+
+export type ApiKeyExposureActionTaken = 'revoked' | 'none';
diff --git a/src/enums/api-key-exposure/index.ts b/src/enums/api-key-exposure/index.ts
@@ -0,0 +1,9 @@
+/**
+ *  ! Autogenerated code !
+ *  Do not make changes to this file.
+ *  Changes may be overwritten as part of auto-generation.
+ */
+
+export * from './risk-level.js';
+export * from './action-taken.js';
+export * from './source.js';
diff --git a/src/enums/api-key-exposure/risk-level.ts b/src/enums/api-key-exposure/risk-level.ts
@@ -0,0 +1,7 @@
+/**
+ *  ! Autogenerated code !
+ *  Do not make changes to this file.
+ *  Changes may be overwritten as part of auto-generation.
+ */
+
+export type ApiKeyExposureRiskLevel = 'high' | 'low';
diff --git a/src/enums/api-key-exposure/source.ts b/src/enums/api-key-exposure/source.ts
@@ -0,0 +1,7 @@
+/**
+ *  ! Autogenerated code !
+ *  Do not make changes to this file.
+ *  Changes may be overwritten as part of auto-generation.
+ */
+
+export type ApiKeyExposureSource = 'github';
diff --git a/src/enums/index.ts b/src/enums/index.ts
@@ -19,4 +19,5 @@ export * from './simulation/index.js';
 export * from './simulation-run/index.js';
 export * from './simulation-run-event/index.js';
 export * from './api-key/index.js';
+export * from './api-key-exposure/index.js';
 export * from './client-tokens/index.js';
diff --git a/src/notifications/entities/api-key-exposure/api-key-exposure-notification.ts b/src/notifications/entities/api-key-exposure/api-key-exposure-notification.ts
@@ -0,0 +1,29 @@
+/**
+ *  ! Autogenerated code !
+ *  Do not make changes to this file.
+ *  Changes may be overwritten as part of auto-generation.
+ */
+import { IApiKeyExposureNotificationResponse } from '../../types/index.js';
+import { ApiKeyExposureRiskLevel, ApiKeyExposureActionTaken, ApiKeyExposureSource } from '../../../enums/index.js';
+
+export class ApiKeyExposureNotification {
+  public readonly id: string;
+  public readonly apiKeyId: string;
+  public readonly riskLevel: ApiKeyExposureRiskLevel;
+  public readonly actionTaken: ApiKeyExposureActionTaken;
+  public readonly source: ApiKeyExposureSource;
+  public readonly reference: string;
+  public readonly description: string | null;
+  public readonly createdAt: string;
+
+  constructor(apiKeyExposure: IApiKeyExposureNotificationResponse) {
+    this.id = apiKeyExposure.id;
+    this.apiKeyId = apiKeyExposure.api_key_id;
+    this.riskLevel = apiKeyExposure.risk_level;
+    this.actionTaken = apiKeyExposure.action_taken;
+    this.source = apiKeyExposure.source;
+    this.reference = apiKeyExposure.reference;
+    this.description = apiKeyExposure.description ?? null;
+    this.createdAt = apiKeyExposure.created_at;
+  }
+}
diff --git a/src/notifications/entities/api-key-exposure/index.ts b/src/notifications/entities/api-key-exposure/index.ts
@@ -0,0 +1,7 @@
+/**
+ *  ! Autogenerated code !
+ *  Do not make changes to this file.
+ *  Changes may be overwritten as part of auto-generation.
+ */
+
+export * from './api-key-exposure-notification.js';
diff --git a/src/notifications/entities/index.ts b/src/notifications/entities/index.ts
@@ -19,4 +19,5 @@ export * from './payout/index.js';
 export * from './report/index.js';
 export * from './shared/index.js';
 export * from './api-key/index.js';
+export * from './api-key-exposure/index.js';
 export * from './client-token/index.js';
diff --git a/src/notifications/events/api-key-exposure/api-key-exposure-created-event.ts b/src/notifications/events/api-key-exposure/api-key-exposure-created-event.ts
@@ -0,0 +1,21 @@
+/**
+ *  ! Autogenerated code !
+ *  Do not make changes to this file.
+ *  Changes may be overwritten as part of auto-generation.
+ */
+
+import { Event } from '../../../entities/events/event.js';
+import { EventName } from '../../helpers/index.js';
+import { ApiKeyExposureNotification } from '../../entities/index.js';
+import { type IEventsResponse } from '../../../types/index.js';
+import { IApiKeyExposureNotificationResponse } from '../../types/index.js';
+
+export class ApiKeyExposureCreatedEvent extends Event {
+  public override readonly eventType = EventName.ApiKeyExposureCreated;
+  public override readonly data: ApiKeyExposureNotification;
+
+  constructor(response: IEventsResponse<IApiKeyExposureNotificationResponse>) {
+    super(response);
+    this.data = new ApiKeyExposureNotification(response.data);
+  }
+}
diff --git a/src/notifications/events/api-key-exposure/index.ts b/src/notifications/events/api-key-exposure/index.ts
@@ -0,0 +1,7 @@
+/**
+ *  ! Autogenerated code !
+ *  Do not make changes to this file.
+ *  Changes may be overwritten as part of auto-generation.
+ */
+
+export * from './api-key-exposure-created-event.js';
diff --git a/src/notifications/events/index.ts b/src/notifications/events/index.ts
@@ -19,4 +19,5 @@ export * from './subscription/index.js';
 export * from './transaction/index.js';
 export * from './report/index.js';
 export * from './api-key/index.js';
+export * from './api-key-exposure/index.js';
 export * from './client-token/index.js';
diff --git a/src/notifications/helpers/types.ts b/src/notifications/helpers/types.ts
@@ -9,6 +9,7 @@ import {
   type ApiKeyExpiringEvent,
   type ApiKeyRevokedEvent,
   type ApiKeyUpdatedEvent,
+  type ApiKeyExposureCreatedEvent,
   type BusinessCreatedEvent,
   type BusinessImportedEvent,
   type BusinessUpdatedEvent,
@@ -67,6 +68,7 @@ export type EventEntity =
   | ApiKeyExpiringEvent
   | ApiKeyExpiredEvent
   | ApiKeyRevokedEvent
+  | ApiKeyExposureCreatedEvent
   | BusinessCreatedEvent
   | BusinessUpdatedEvent
   | BusinessImportedEvent
@@ -124,6 +126,7 @@ export enum EventName {
   ApiKeyExpiring = 'api_key.expiring',
   ApiKeyExpired = 'api_key.expired',
   ApiKeyRevoked = 'api_key.revoked',
+  ApiKeyExposureCreated = 'api_key_exposure.created',
   BusinessCreated = 'business.created',
   BusinessImported = 'business.imported',
   BusinessUpdated = 'business.updated',
@@ -182,6 +185,7 @@ export type IEventName =
   | 'api_key.expiring'
   | 'api_key.expired'
   | 'api_key.revoked'
+  | 'api_key_exposure.created'
   | 'business.created'
   | 'business.updated'
   | 'business.imported'
diff --git a/src/notifications/helpers/webhooks.ts b/src/notifications/helpers/webhooks.ts
@@ -12,6 +12,7 @@ import {
   ApiKeyExpiringEvent,
   ApiKeyRevokedEvent,
   ApiKeyUpdatedEvent,
+  ApiKeyExposureCreatedEvent,
   BusinessCreatedEvent,
   BusinessImportedEvent,
   BusinessUpdatedEvent,
@@ -99,6 +100,8 @@ export class Webhooks {
         return new ApiKeyRevokedEvent(data);
       case EventName.ApiKeyUpdated:
         return new ApiKeyUpdatedEvent(data);
+      case EventName.ApiKeyExposureCreated:
+        return new ApiKeyExposureCreatedEvent(data);
       case EventName.BusinessCreated:
         return new BusinessCreatedEvent(data);
       case EventName.BusinessUpdated:
diff --git a/src/notifications/types/api-key-exposure/api-key-exposure-notification-response.ts b/src/notifications/types/api-key-exposure/api-key-exposure-notification-response.ts
@@ -0,0 +1,18 @@
+/**
+ *  ! Autogenerated code !
+ *  Do not make changes to this file.
+ *  Changes may be overwritten as part of auto-generation.
+ */
+
+import { ApiKeyExposureRiskLevel, ApiKeyExposureActionTaken, ApiKeyExposureSource } from '../../../enums/index.js';
+
+export interface IApiKeyExposureNotificationResponse {
+  id: string;
+  api_key_id: string;
+  risk_level: ApiKeyExposureRiskLevel;
+  action_taken: ApiKeyExposureActionTaken;
+  source: ApiKeyExposureSource;
+  reference: string;
+  description: string | null;
+  created_at: string;
+}
diff --git a/src/notifications/types/api-key-exposure/index.ts b/src/notifications/types/api-key-exposure/index.ts
@@ -0,0 +1,7 @@
+/**
+ *  ! Autogenerated code !
+ *  Do not make changes to this file.
+ *  Changes may be overwritten as part of auto-generation.
+ */
+
+export * from './api-key-exposure-notification-response.js';
diff --git a/src/notifications/types/index.ts b/src/notifications/types/index.ts
@@ -19,4 +19,5 @@ export * from './payout/index.js';
 export * from './report/index.js';
 export * from './shared/index.js';
 export * from './api-key/index.js';
+export * from './api-key-exposure/index.js';
 export * from './client-token/index.js';
diff --git a/src/types/events/events-response.ts b/src/types/events/events-response.ts
@@ -9,6 +9,7 @@ import {
   type IAddressNotificationResponse,
   type IAdjustmentNotificationResponse,
   type IApiKeyNotificationResponse,
+  type IApiKeyExposureNotificationResponse,
   type IBusinessNotificationResponse,
   type IClientTokenNotificationResponse,
   type ICustomerNotificationResponse,
@@ -73,6 +74,10 @@ interface IApiKeyUpdated extends IEventsResponse<IApiKeyNotificationResponse> {
   event_type: EventName.ApiKeyUpdated;
 }
 
+interface IApiKeyExposureCreated extends IEventsResponse<IApiKeyExposureNotificationResponse> {
+  event_type: EventName.ApiKeyExposureCreated;
+}
+
 interface IBusinessCreated extends IEventsResponse<IBusinessNotificationResponse> {
   event_type: EventName.BusinessCreated;
 }
@@ -264,6 +269,7 @@ export type IEvents =
   | IApiKeyExpiring
   | IApiKeyRevoked
   | IApiKeyUpdated
+  | IApiKeyExposureCreated
   | IBusinessCreated
   | IBusinessUpdated
   | IBusinessImported
