API Keys: Small Strings, Massive Risk

May 07, 2026

In partnership with

Blu Dot surpasses 2,000% ROAS with self-serve CTV ads

Home furniture brand Blu Dot blew up on CTV with help from Roku Ads Manager. Here’s how:

After a test campaign reached 211,000 households and achieved 1,010% ROAS, the brand went all in to promote its annual sales event. It removed age and income constraints to expand reach and shifted budget to custom audiences and retargeting, where intent was strongest.

The results speak for themselves. As Blu Dot increased their investment by 10x, ROAS jumped to 2,308% and more page-view conversions surpassed 50,000.

“For CTV campaigns, Roku has been a top performer,” said Claire Folkestad, Paid Media Strategist, Blu Dot. “Comping to our other platforms, we have seen really strong ROAS… and highly efficient CPMs, lower than any other CTV partner we've worked with.”

Using Roku Ads Manager, the campaign moved from a pilot to a permanent performance engine for the brand.

API Keys Often Have Broad Permissions

Many API keys are generated with full read/write access by default. If exposed, they can provide attackers with powerful, programmatic control.

Hardcoding Secrets Is Still Common

Developers frequently embed API keys directly into source code or configuration files. Once pushed to a repository — public or private — exposure risk skyrockets.

Rotation Is Rarely Automated

API keys often remain active for months or years. Without automated rotation policies, compromised keys remain valid indefinitely.

This docs platform just raised $45M

Mintlify powers documentation for 20,000+ companies reaching 100M+ people a year. Backed by a16z and Salesforce Ventures. Your docs deserve the same infrastructure.

Logs Can Leak Secrets

Debug logs and error messages sometimes print full keys or tokens. If log storage is exposed, secrets leak silently.

Monitoring API Usage Is Essential

Unusual request volume, unexpected geolocation, or abnormal endpoints accessed can signal key abuse before major damage occurs.

Treat API Keys Like Privileged Accounts

Limit scope, enforce expiration, rotate regularly, and monitor usage patterns. A leaked API key is not just a string — it’s an open door.

Renewals stop being a fire drill.

Most churn blindsides the CSM in renewal week. Champion left. Usage dropped. NPS slid months ago.

A colleague in Slack watches the signals around the clock. Your CSMs catch every risk months before renewal.

11,000+ teams use Viktor daily. SOC 2 certified. Your data never trains models.