user api key leaked

While testing WakaTime using the tool gau (Get All URLs), I discovered an exposed API key in one of the older URLs. Upon testing this API key, I found that it successfully authenticated requests to an endpoint that would otherwise return "401 Unauthorized" without it. This indicates that the API key is valid and grants access to restricted resources, which could lead to information disclosure or potential misuse depending on the associated permissions. ## Impact An attacker who obtains the API key waka_edf47c40-cabf-46e7-9f88-f1b44f00431f could potentially access personal information about the user or perform unauthorized actions on their behalf via the API.