Leaked Sentry DSN vs auth token — different risks

Sentry DSNs are intentionally public (they embed in client code). Sentry auth tokens are secret and grant API access. Know which you leaked.

The next 60 seconds matter

DSN leak: low risk. An attacker can send junk events to your project, polluting your Sentry data and potentially exhausting quota. Auth token leak: full API access — read projects, modify alerts, delete issues, create integrations.

  • DSN: fill your error quota with junk events
  • Auth token: read every project's errors, exfiltrate linked users/PII if captured in error contexts
  • Auth token: modify projects to silently drop real errors

Rotation playbook

  1. DSN: Sentry Project Settings → Client Keys → Remove DSN + create new one
  2. Auth token: Sentry User Settings → API → Revoke token
  3. Enable Sentry's Inbound Filters + Rate Limiting to reduce junk-event impact

Prevent the next one

  • DSN rotation is cheap — rotate quarterly even without a leak
  • Auth tokens: use the minimum required scopes
  • Set per-project rate limits
Pattern we scan for
DSN: https://{key}@sentry.io/{project} · Auth token: {variable}