Projects

Zombie API Clients. Old Credentials. Still Active. Find and Kill Them.

Zombie API clients. Credentials nobody remembers creating. Still active. Still dangerous. Every enterprise has them. Most teams pretend they don't exist. Opened the Commercetools admin panel and found dozens of API clients staring back. Created during sprints two years ago. Nobody knows which are still in use. Some have full admin scopes. Zero rotation, zero audit trail. Just vibes and prayers. The first real audit: 34 clients total. 12 active with legitimate documented usage. 18 zombies with no activity in 90+ days. And 4 with full admin scope that had not been touched in six months. Four open doors to production data that nobody even knew existed. The tool is Python, Dockerized, runs anywhere with no setup. It connects to the Commercetools API, pulls every client, cross-references usage logs, and tells you exactly which ones are alive and which ones are dead weight. Then it goes further: automated weekly scans in the CI/CD pipeline, Slack alerts when any client sits idle for 30 days, scope validation against actual API call patterns, and rotation recommendations when anything is over-permissioned. The deeper problem is not technical. Credentials accumulate because nobody owns…