Apache Superset
Apache Software Foundationother4 credentials
Superset Administrator/User Password
apache-superset / admin-user-password
Apache Superset local users authenticate to the web UI and API through Flask AppBuilder security. Administrators are created during initialization or provisioning.
Location
Superset web UI, REST API, SQL Lab, and embedded dashboard flowsSuperset metadata database user/security tables and password hashes
superset_config.pyauthentication, database, secret key, OAuth, LDAP, and feature configuration
Kubernetes Secrets, Docker secrets, vaults, and password managers
webserver, worker, audit, and authentication logs
Notes
No universal Superset admin password is modeled; it is created by superset fab/create-admin or deployment automation.
SECRET_KEY / Encryption Secret
apache-superset / secret-key-and-fernet-key
Superset relies on SECRET_KEY and related encryption material to sign sessions and encrypt sensitive metadata such as database connection passwords.
Looks like
pattern^(SECRET_KEY|SUPERSET_SECRET_KEY)\s*=\s*[\'\"].+[\'\"]Location
superset_config.pySECRET_KEY and security configuration
SUPERSET_SECRET_KEY, SECRET_KEYKubernetes Secrets, Docker secrets, and external vaults
committed config files, Helm values, and example deployments
metadata database backups and deployment bundles
Database Connection Password / SQLAlchemy URI
apache-superset / database-connection-secret
Superset stores database connection URIs and credentials for analytics databases and the metadata database.
Location
Superset metadata database encrypted DB connection records
superset_config.py, values.yamlSQLALCHEMY_DATABASE_URI, examples database config, and datasource settings
SQLALCHEMY_DATABASE_URI, DATABASE_URL, SUPERSET_DATABASE_PASSWORDKubernetes Secrets, Airflow/CI secrets, and database vault entries
SQLAlchemy errors, worker logs, and connection test traces
OAuth, LDAP, and API Integration Secret
apache-superset / oauth-ldap-api-secret
Superset deployments may contain OAuth/OIDC client secrets, LDAP bind passwords, guest token signing config, and embedded analytics secrets.
Location
AuthorizationBearer/JWT/API tokens for Superset API clients
superset_config.pyAUTH_TYPE, OAuth providers, LDAP, guest token, and feature config
OAUTH_CLIENT_SECRET, LDAP_BIND_PASSWORD, SUPERSET_OAUTH_SECRETvaults and deployment secret stores
OAuth, LDAP, and API debug logs
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.