# GitHub Secret Scanning
Starting from Mid May 2023, Workato Developer API Client tokens are now integrated with Github Secret Scanning (opens new window), allowing us to provide additional layers of security when your API tokens are found in plain text on public Github repositories.
When these tokens are found, Workato will perform the following steps:
- Revoke your Developer API token to ensure no bad actors can have unauthorized access to your Workato workspace
- Send an email to the Workspace owner and admins emails about the leaked token, including information about where it was found and how to recover from the leaked token
Leaked token email
Remember to add your Workspace Administrators to your email notification lists to ensure that relevant individuals are informed if tokens are leaked. This can be done by going to your Workspace settings (opens new window) when logged in at the Workspace owner.
- Mark the API Client as leaked on the Workato UI
- Add an audit log event indicating that the API token was leaked
Leaked token audit event
# Why do we revoke tokens immediately?
Human error is one of the most common ways that malicious actors can access your account. We have found that many bad actors utilize crawlers on Github public repositories to find leaked tokens which makes it important that we are able to secure your Workato workspace.
Last updated: 5/29/2023, 5:11:44 AM