lolcreds

Public credential defaults and exposure patterns for authorized security testing.

1Password

1Passwordsaas7 credentials

Credentials7 documented
01

1Password User / Administrator Password

1password / user-or-admin-password

1Password users and administrators authenticate to 1Password accounts, admin consoles, CLI sign-in flows, browser extensions, and SSO/federated login flows with user-defined account passwords or identity-provider credentials.

user definedsecretusername/password

Location

public interface
/signin, /sign-in, /admin

1Password web sign-in, admin console, and identity-provider login contexts

config file
~/.config/op/config, ~/.op/config, ~/.config/1Password/1Password.sqlite, ~/.config/1Password/logs/1Password_rCURRENT.log

Unix-like 1Password CLI, desktop, account, and log files where sign-in context may appear

config file
%USERPROFILE%\.config\op\config, %USERPROFILE%\.op\config, %APPDATA%\1Password\1Password.sqlite, %LOCALAPPDATA%\1Password\logs\1Password_rCURRENT.log

Windows 1Password CLI, desktop, account, and log files where sign-in context may appear

secret store

Enterprise identity provider stores, break-glass admin vaults, password managers, and SSO connector secrets

logs

1Password application, CLI, audit, and support logs may contain sign-in context but should not contain raw account passwords

Notes

This block catalogs ordinary operational login locations and does not claim a static vendor default password.

02

1Password Account Secret Key

1password / account-secret-key

1Password account Secret Keys are user/account enrollment secrets with a stable A3-formatted value. Betterleaks detects these with the 1password-secret-key rule. Exposure may assist account compromise when combined with the account password and other sign-in factors.

generated on installsecretsecret value

Looks like

example
example

Compatible with Betterleaks rule 1password-secret-key

A3-ABC123-ABCDEFGHIJK-ABCDE-ABCDE-ABCDE
example

Alternate segmented Secret Key form accepted by the Betterleaks-compatible pattern

A3-ABC123-ABC123-ABCDE-ABCDE-ABCDE-ABCDE

Location

config file
~/.config/op/config, ~/.op/config, ~/.config/1Password/1Password.sqlite, ~/Downloads/1Password Emergency Kit.pdf

Unix-like account configuration, local app data, CLI config, and Emergency Kit locations where account Secret Keys may appear

config file
%USERPROFILE%\.config\op\config, %USERPROFILE%\.op\config, %APPDATA%\1Password\1Password.sqlite, %USERPROFILE%\Downloads\1Password Emergency Kit.pdf

Windows account configuration, local app data, CLI config, and Emergency Kit locations where account Secret Keys may appear

artifact
1Password Emergency Kit.pdf, Emergency Kit.pdf

Exported Emergency Kit, printed recovery artifacts, screenshots, or support attachments containing an A3 Secret Key

source code
README.md, onboarding.md, runbook.md, secrets.txt, credentials.txt

Project-local documentation or onboarding material that may accidentally include account Secret Keys

logs

CLI debug output, support bundles, screenshots, and onboarding traces may accidentally expose an account Secret Key

Notes

Betterleaks applies a low-entropy filter to reduce false positives. A scanner should treat A3 Secret Key findings as sensitive only when the full grouped format is present.

03

1Password Service Account Token

1password / service-account-token

1Password service account tokens authorize non-interactive access to vaults through 1Password CLI and automation. Betterleaks detects these with the 1password-service-account-token rule and validates them using the 1Password Events API auth introspection endpoint.

generated on installuser definedsecrettoken

Looks like

example
example

Compatible with Betterleaks rule 1password-service-account-token

ops_eyJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Location

environment
OP_SERVICE_ACCOUNT_TOKEN
http header
Authorization

Bearer token used by 1Password service-account-backed automation and validation requests

config file
~/.config/op/config, ~/.op/config

Unix-like 1Password CLI configuration files that may reference service account authentication

config file
%USERPROFILE%\.config\op\config, %USERPROFILE%\.op\config

Windows 1Password CLI configuration files that may reference service account authentication

config file
.env, docker-compose.yml, docker-compose.yaml, values.yaml, terraform.tfvars, provider.tf, main.tf, Makefile, Taskfile.yml, Jenkinsfile

Automation, container, Helm, Terraform, and CI/CD files that may contain OP_SERVICE_ACCOUNT_TOKEN

secret store

CI/CD variables, cloud secret managers, Kubernetes Secrets, Terraform variables, and automation vaults

source code

Automation repositories, CI/CD definitions, scripts, examples, and application code that may embed or reference service account tokens

logs

CLI debug logs, CI output, Terraform/provider logs, and exception traces may expose service account tokens

Notes

Betterleaks validates service account tokens via https://events.1password.com/api/v2/auth/introspect. Do not validate automatically unless the scanner's validation mode allows outbound token checks.

04

1Password Connect API Token

1password / connect-api-token

1Password Connect API tokens authorize clients to read or manage vault items through a 1Password Connect server. Tokens are commonly provided to CLI, SDK, Kubernetes, Terraform, and application integrations.

generated on installuser definedsecrettoken

Location

environment
OP_CONNECT_TOKEN
http header
Authorization

Bearer token used for 1Password Connect API calls

config file
~/.config/op/config, ~/.op/config, ~/.op/1password-credentials.json

Unix-like 1Password Connect and CLI configuration files

config file
%USERPROFILE%\.config\op\config, %USERPROFILE%\.op\config, %USERPROFILE%\.op\1password-credentials.json

Windows 1Password Connect and CLI configuration files

config file
.env, docker-compose.yml, docker-compose.yaml, values.yaml, connect.json, 1password-credentials.json, provider.tf, main.tf

Project, container, Helm, SDK, Terraform, and application files that may contain OP_CONNECT_TOKEN

secret store

Kubernetes Secrets, Docker secrets, CI/CD variables, cloud secret managers, and deployment vaults

source code

Application, infrastructure-as-code, and CI/CD files that may embed 1Password Connect tokens

logs

Connect server logs, client debug traces, SDK errors, and CI output may expose Connect tokens

Notes

OP_CONNECT_HOST is Connect server endpoint context and is intentionally not listed as a credential-value environment variable. 1Password Connect token formats may vary and are not modeled here with a stable product-specific regex.

05

1Password Connect Server Credentials File

1password / connect-server-credentials

1Password Connect Server uses a 1password-credentials.json file. Official Connect configuration documents OP_SESSION as the path to this file or the Base64-encoded contents of the credentials file, with a default path under ~/.op.

generated on installsecretsecret value

Location

environment
OP_SESSION

For 1Password Connect containers, OP_SESSION can contain the path to or Base64-encoded content of 1password-credentials.json

config file
~/.op/1password-credentials.json

Official default Connect credentials file path on Unix-like systems

config file
%USERPROFILE%\.op\1password-credentials.json

Windows home-relative equivalent for the Connect credentials file

config file
1password-credentials.json, docker-compose.yml, docker-compose.yaml, values.yaml, deployment.yaml

Project, container, Kubernetes, and Helm deployment files for 1Password Connect

secret store

Kubernetes Secrets, Docker secrets, CI/CD variables, cloud secret managers, and deployment vaults

logs

Connect startup logs, container environment dumps, CI output, and deployment troubleshooting traces

Notes

OP_SESSION is overloaded: 1Password CLI docs describe it as a CLI session token, while Connect server docs describe it as credentials-file path or Base64 content. This block models the Connect-server credential-file usage.

06

1Password CLI Session Token

1password / cli-session-token

1Password CLI can use session environment variables for account sessions. These tokens are local authentication artifacts and should be treated as secrets when captured from shells, process environments, logs, or scripts.

generated on installsecrettoken

Location

environment
OP_SESSION
config file
~/.config/op/config, ~/.op/config, ~/.zshrc, ~/.bashrc, ~/.profile, .env

Unix-like shell and 1Password CLI configuration files that may persist session-related environment variables

config file
%USERPROFILE%\.config\op\config, %USERPROFILE%\.op\config, %USERPROFILE%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, %USERPROFILE%\.env

Windows shell and 1Password CLI configuration files that may persist session-related environment variables

logs

Shell history, CLI debug output, terminal transcripts, and CI output may expose session tokens

Notes

OP_ACCOUNT is contextual rather than secret material, so it is not listed as a credential-value environment location. Use account context near OP_SESSION or other 1Password token material during triage.

07

1Password SCIM / Integration Secret

1password / scim-or-integration-secret

1Password-related integrations can use SCIM bearer tokens, OAuth app secrets, webhook signing secrets, bot tokens, app install tokens, and third-party connector credentials alongside 1Password automation.

generated on installuser definedsecretsecret value

Location

http header
Authorization, X-API-Key, X-Signature, X-Hub-Signature-256

Authorization or webhook signature headers used by app integrations and provisioning clients

config file
.env, docker-compose.yml, docker-compose.yaml, values.yaml, scim.env, scim.json, oauth.json, manifest.json

Project-local OAuth, SCIM, webhook, and integration configuration files

secret store

SaaS app secret stores, CI/CD variables, cloud secret managers, password vaults, and enterprise integration vaults

source code

Integration repos, webhooks, app backends, tests, examples, and CI/CD files

logs

OAuth exchange logs, webhook logs, API debug traces, provisioning logs, SCIM bridge logs, and audit events

Notes

Generic names such as SCIM_TOKEN, WEBHOOK_SECRET, and CLIENT_SECRET were not listed as 1Password product-owned environment locations because they are not specific to 1Password. Keep those as generic scanner/context detections unless a concrete 1Password integration documents an exact variable name.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.