lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Auth0

Auth0identity4 credentials

Credentials4 documented
01

Management API Access Token

auth0 / management-api-access-token

Auth0 Management API access tokens authorize calls to the Auth0 Management API. Auth0 documents these as access tokens and discusses rotating or revoking tokens according to their token type.

generated on installsecrettoken

Looks like

pattern
pattern

Auth0 access tokens are JWTs in common Management API flows; identify by Auth0 audience and Bearer context

eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+

Location

environment
AUTH0_MANAGEMENT_API_TOKEN, AUTH0_TOKEN
http header
Authorization

Bearer token used for Auth0 Management API calls

http response

OAuth token endpoint responses containing access_token

config file

automation .env files, deployment config, Terraform variables, and SDK config

secret store

CI/CD variables, cloud secret managers, and identity automation secrets

logs

token exchange logs, Management API client traces, and CI output

Notes

Management API token blast radius is controlled by requested audience, scopes, and lifetime. Store short-lived tokens only where needed.

02

Application Client Secret

auth0 / application-client-secret

Auth0 applications have client credentials in their application settings. Auth0 documents client secret rotation and notes that client secrets are used by confidential applications and token flows.

generated on installsecretsecret value

Location

environment
AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET
config file

application settings, .env files, backend auth config, and deployment manifests

secret store

cloud secret managers, CI/CD variables, and platform app secrets

source code

OAuth examples, tests, Terraform config, and accidentally committed app config

logs

OAuth token request dumps, failed login traces, and CI output

Notes

The client ID identifies the application; the client secret is confidential and can allow impersonation of the application in supported OAuth flows.

03

Private Key JWT Signing Key

auth0 / private-key-jwt-signing-key

Auth0 applications can use private_key_jwt-style authentication for advanced OAuth flows. Auth0 documents private key JWT authentication and JSON Web Key Sets for verifying JWTs signed by Auth0.

user definedsecretkey pair

Looks like

pattern
pattern

PEM private key used by an Auth0 application for private key JWT authentication

-----BEGIN (?:RSA |EC |)PRIVATE KEY-----

Location

config file

PEM files, JWKS generation inputs, backend auth config, and deployment manifests

environment
AUTH0_PRIVATE_KEY, AUTH0_CLIENT_ASSERTION_PRIVATE_KEY
secret store

cloud KMS, secret managers, CI/CD variables, and platform app secrets

source code

test keys, OAuth client examples, and accidentally committed PEM files

Notes

Public JWKS keys verify tokens, but the private signing key is a secret credential and should stay in a server-side key store.

04

Refresh Token

auth0 / refresh-token

Auth0 refresh tokens can be revoked through the Dashboard, Authentication API, or Management API. Auth0 documents refresh token rotation and expiration settings for applications.

generated on installsecrettoken

Location

http response

OAuth token responses containing refresh_token

database

application token stores and session stores

config file

development token caches and local OAuth test config

secret store

encrypted app secret stores and secure session storage

logs

OAuth callback logs and token endpoint debug output

Notes

Refresh token exposure can extend access beyond an access token's lifetime until rotation, revocation, reuse detection, or expiration stops it.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.