lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Airtable

Airtabledatabase5 credentials

Credentials5 documented
01

Airtable User / Administrator Password

airtable / user-password

Airtable users and administrators authenticate to the Airtable web app, enterprise admin surfaces, SSO flows, and OAuth authorization flows with user-defined or federated credentials.

user definedsecretusername/password

Location

public interface
/login, /authorize, /admin

Airtable web sign-in, OAuth authorization, and enterprise administration contexts

secret store

Password managers, enterprise identity providers, break-glass admin vaults, and managed credential stores

logs

Sign-in logs, audit events, OAuth authorization events, browser exports, and support traces

Notes

Catalogs ordinary operational credential locations; this is not a claim of a static Airtable default password.

02

Personal Access Token

airtable / personal-access-token

Airtable personal access tokens authorize Web API requests. Airtable.js documents using a secret API token/personal access token as apiKey and using AIRTABLE_API_KEY for 12-factor environment configuration. Gitleaks and Betterleaks detect Airtable PATs with a pat-prefixed token shape.

generated on installuser definedsecrettoken

Looks like

example
example

Airtable personal access token pattern compatible with Gitleaks/Betterleaks airtable-personnal-access-token rule

patAAAAAAAAAAAAAA.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Location

environment
AIRTABLE_API_KEY

Airtable.js and pyairtable examples use AIRTABLE_API_KEY for the secret API token / personal access token

http header
Authorization

Bearer token used for Airtable Web API requests

public interface
/create/tokens, /developers/web/api

Airtable token creation and Web API documentation contexts

config file
.env, .env.local, .env.production, airtable.js, airtable.config.js, config.js, config.ts, settings.py, pyproject.toml

Project-local SDK/application files where AIRTABLE_API_KEY or Airtable PATs are commonly configured

secret store

CI/CD variables, cloud secret managers, platform secret stores, password vaults, and integration vaults

source code

Application code, automation scripts, notebooks, tests, examples, infrastructure-as-code, and committed config files

logs

API debug logs, SDK traces, CI output, exception traces, HTTP request captures, and support bundles

Notes

Airtable base IDs, table IDs, record IDs, endpoint URLs, and pagination tokens are API context, not credential values. AIRTABLE_ENDPOINT_URL is intentionally not listed as a credential env var.

03

Legacy API Key

airtable / legacy-api-key

Older Airtable integrations and detector rules modeled legacy Airtable API keys as 17-character lower-case alphanumeric values near Airtable-specific context. Airtable now directs developers to create personal access tokens, but legacy keys may still appear in old code, examples, and configuration.

generated on installuser definedsecretAPI key

Looks like

pattern
pattern

Contextual Airtable legacy API-key pattern compatible with Betterleaks airtable-api-key rule

(?i)(?:airtable)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{17})(?:\\?['"\x60]|[\s;]|\\[nr]|$)

Location

environment
AIRTABLE_API_KEY

Airtable SDK examples use this env var for the secret API token/API key value

http header
Authorization

Bearer token/API key used for Airtable Web API requests

config file
.env, .env.local, airtable.js, config.js, config.ts, settings.py, test/test_files/index.html

Legacy SDK examples, browser demos, and local app configuration files that may contain legacy API keys

source code

Older Airtable.js integrations, browser demos, tests, notebooks, scripts, and automation repos

logs

API debug logs, HTTP traces, browser demos, CI output, and support bundles

Notes

The 17-character pattern is noisy without Airtable-specific context and should not be used as a generic standalone token detector.

04

OAuth Access Token

airtable / oauth-access-token

Airtable OAuth integrations receive bearer access tokens for API calls. Betterleaks models Airtable OAuth tokens with a versioned dot-separated token format and validates candidate tokens against the /v0/meta/whoami endpoint.

generated on installsecrettoken

Looks like

example
example

Airtable OAuth token value shape from Betterleaks airtable-oauth-token rule; use with Airtable-specific context

AIRTABLE.v1.ABCDEFGHIJKLMNOPQRSTUVWXYZ_0123456789.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
pattern

Contextual Airtable OAuth token pattern compatible with Betterleaks airtable-oauth-token rule

(?i)(?:airtable)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([A-Z0-9]+\.v1\.[A-Z0-9_-]+\.[a-f0-9]+)(?:\\?['"\x60]|[\s;]|\\[nr]|$)

Location

http header
Authorization

Bearer OAuth access token used for Airtable Web API requests

http response

OAuth token responses containing access_token, refresh_token, token_type, scope, and expiry fields

config file
.env, oauth.json, airtable-oauth.json, config.json, config.js, settings.py

OAuth callback handlers, app configs, token stores, SDK settings, and local development files

secret store

OAuth client secret stores, CI/CD variables, cloud secret managers, enterprise vaults, and app-installation secret stores

source code

OAuth callback code, app manifests, automation scripts, tests, and examples

logs

OAuth exchange logs, callback logs, API traces, failed auth errors, and support bundles

Notes

No exact official Airtable environment variable for OAuth access or refresh tokens was found in the checked sources, so none is listed.

05

OAuth Client Secret / Refresh Token

airtable / oauth-client-secret

Airtable OAuth integrations can use client secrets and refresh tokens as part of token exchange and token refresh flows. These values are usually stored in application configuration or secret stores rather than an Airtable-owned local CLI file.

generated on installuser definedsecretsecret value

Location

http header
Authorization

Basic client authentication or bearer token during OAuth token exchange and API calls

http response

OAuth token responses can contain refresh_token and access_token fields

config file
.env, oauth.json, airtable-oauth.json, config.json, config.js, settings.py

OAuth application configs, callback handlers, SDK settings, and local development files

secret store

OAuth client secret stores, CI/CD variables, cloud secret managers, enterprise vaults, and app-installation secret stores

source code

OAuth callback code, app manifests, automation scripts, tests, and examples

logs

OAuth exchange logs, callback logs, API traces, failed auth errors, and support bundles

Notes

Generic names such as AIRTABLE_CLIENT_SECRET and AIRTABLE_REFRESH_TOKEN were not listed as environment locations because the checked official SDK/docs did not establish them as Airtable-owned credential-value env vars.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.