lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Cloudflare

Cloudflarecloud9 credentials

Credentials9 documented
01

API Token

cloudflare / api-token

Cloudflare API tokens authenticate scoped requests to the Cloudflare API. Cloudflare documents Bearer authorization and states that new API tokens use the cfut_ prefixed scannable format for credential scanning.

user definedsecrettoken

Looks like

example
example

Cloudflare's new prefixed API token format

cfut_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
CLOUDFLARE_API_TOKEN, CF_API_TOKEN
http header
Authorization

Bearer token used by Cloudflare API v4 requests

source code

automation scripts, Terraform providers, Wrangler config, committed .env files

config file

.env, CI configuration, deployment manifests, local shell profiles

secret store

CI/CD variables, cloud secret managers, hosted app settings

logs

curl traces, HTTP client debug logs, and API gateway logs containing Authorization headers

Notes

Prefer scoped API tokens over Global API keys. Token permissions and resource scopes determine blast radius; rotate any token found outside the intended secret store or deployment environment.

02

Global API Key (legacy)

cloudflare / global-api-key

Cloudflare Global API Key is the legacy account-wide API credential used with the account email address. Cloudflare recommends API tokens where possible and documents that new and rolled Global API Keys use the cfk_ prefixed scannable format.

user definedsecretAPI key

Looks like

example
example

Cloudflare's prefixed Global API Key format

cfk_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
CLOUDFLARE_API_KEY, CF_API_KEY, CLOUDFLARE_EMAIL, CF_EMAIL

legacy clients commonly require both key and account email

http header
X-Auth-Key, X-Auth-Email

legacy Cloudflare API authentication headers

source code

legacy automation scripts, Terraform provider configuration, DNS update clients

config file

.env, DNS updater config, CI configuration, shell profiles

secret store

CI/CD variables, cloud secret managers, hosted app settings

logs

HTTP client debug logs exposing X-Auth-Key or X-Auth-Email headers

Notes

Global API Key has broad access across a user's Cloudflare resources and requires the account email address for API use. Treat any leak as a high-impact account credential exposure and replace it with scoped API tokens where possible.

03

Account Login Password

cloudflare / account-login-password

Cloudflare dashboard users authenticate with an email address and password unless the account is governed by SSO. Account members and Super Administrators are managed through Cloudflare account and organization membership flows.

user definedsecretusername/password

Location

public interface
https://dash.cloudflare.com/login

Cloudflare dashboard login

secret store

password managers, enterprise SSO vaults, and identity-provider credential stores

logs

browser, proxy, or identity-provider logs that capture login submissions or reset flows

Notes

No universal Cloudflare dashboard default password is documented. MFA, SSO, role scopes, and membership policies affect the blast radius of a leaked password, but the password remains the primary account login secret when local Cloudflare authentication is used.

04

Account Recovery Codes

cloudflare / account-recovery-codes

Cloudflare two-factor authentication setup generates backup recovery codes that can be saved and later used to regain account access if the user loses access to their authenticator or reset channel.

generated on installsecretsecret value

Location

secret store

password managers, enterprise vaults, printed recovery-code storage

artifact

downloaded, printed, copied, or screenshot recovery-code exports

source code

accidentally committed notes, onboarding docs, or incident runbooks

Notes

Recovery codes are account-access secrets rather than API credentials. They should be rotated/regenerated if found in shared files, tickets, repositories, or screenshots.

05

R2 S3 Access Key / Secret Access Key

cloudflare / r2-s3-access-key

Cloudflare R2 S3-compatible API tokens produce an Access Key ID and Secret Access Key pair. Cloudflare states that the Secret Access Key is displayed only once after token creation and must be recorded by the operator.

generated on installsecretAPI key

Location

environment
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, R2_ACCESS_KEY_ID, R2_SECRET_ACCESS_KEY
config file

S3 client profiles, rclone config, backup tool config, .env files

source code

object-storage clients, backup scripts, data pipelines, committed examples

secret store

CI/CD variables, cloud secret managers, backup platform secrets

logs

S3 client debug logs and failed-auth traces

Notes

R2 keys are commonly used through S3-compatible tooling, so they may appear under generic AWS_* names rather than Cloudflare-specific names. The endpoint identifies Cloudflare R2 usage: https://<ACCOUNT_ID>.r2.cloudflarestorage.com.

06

Cloudflare Access Service Token

cloudflare / access-service-token

Cloudflare Access service tokens are machine-to-machine credentials made of a client_id and client_secret. Cloudflare Access accepts them in CF-Access-Client-Id and CF-Access-Client-Secret headers and returns an application-scoped authorization cookie when valid.

generated on installsecrettoken

Looks like

example
example

service-token client_id format shown by Cloudflare Access examples

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.access
example

service-token client_secret value shown by Cloudflare Access examples

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

http header
CF-Access-Client-Id, CF-Access-Client-Secret
environment
CF_ACCESS_CLIENT_ID, CF_ACCESS_CLIENT_SECRET
source code

service-to-service clients, uptime probes, CI jobs, deployment scripts

config file

.env, Kubernetes manifests, reverse-proxy config, monitoring config

secret store

CI/CD variables, cloud secret managers, Kubernetes Secrets

logs

HTTP client debug logs and reverse-proxy logs containing Access headers

Notes

Client ID alone is not sufficient; the client secret is the sensitive half. The pair grants non-interactive access to protected applications according to the Access policy that trusts the service token.

07

Cloudflare Tunnel Token

cloudflare / cloudflare-tunnel-token

Remotely managed Cloudflare Tunnels use a generated tunnel token passed to cloudflared so the connector can enroll and run the tunnel without a browser login on the host.

generated on installsecrettoken

Location

environment
TUNNEL_TOKEN, CLOUDFLARE_TUNNEL_TOKEN
config file

cloudflared service units, Docker Compose files, Kubernetes manifests, systemd drop-ins

image

container images or VM images built with cloudflared run commands or token env vars

artifact

deployment bundles, bootstrap scripts, CI logs, copied tunnel run commands

secret store

Kubernetes Secrets, CI/CD variables, cloud secret managers

logs

process listings, service manager logs, shell histories, and cloudflared debug output

Notes

A leaked tunnel token can let another connector join or impersonate the tunnel depending on tunnel configuration and token validity. Treat copied cloudflared run commands as credential-bearing artifacts.

08

Origin CA Private Key

cloudflare / origin-ca-private-key

Cloudflare Origin CA certificates are installed on origin servers to authenticate the origin to Cloudflare. The private key generated with the certificate is the secret half and must be protected like any TLS private key.

generated on installsecretkey pair

Looks like

pattern
pattern

PEM private-key header; full private-key examples are multi-line and not useful as specimens

-----BEGIN (RSA |EC |)PRIVATE KEY-----

Location

config file

origin web server TLS key files, reverse-proxy config, Kubernetes TLS Secrets

secret store

certificate managers, Kubernetes Secrets, cloud secret managers

source code

accidentally committed origin certificate bundles or deployment examples

artifact

server backups, certificate export archives, configuration bundles

Notes

The public Origin CA certificate is not secret; the private key is. A leaked key can allow impersonation of the configured origin certificate where the corresponding certificate is trusted by Cloudflare.

09

Workers Secret Binding

cloudflare / workers-secret-binding

Cloudflare Workers secrets store sensitive values such as API keys, tokens, and passwords as encrypted environment-variable-like bindings. Cloudflare documents that secrets are not visible in Wrangler or the dashboard after definition, while the value is passed to the Worker at runtime.

user definedsecretsecret value

Location

secret store

Cloudflare Workers secret bindings managed by Wrangler or the dashboard

environment

available to Worker code as environment bindings at runtime

source code

wrangler commands, local dev vars, tests, or examples that accidentally embed secret values

config file

Wrangler configuration declaring required secret names; local .dev.vars and .env files may contain development copies

logs

Worker logs or local development output that prints secret binding values

Notes

Workers secrets are a storage location for arbitrary credentials, not a single Cloudflare-generated format. The secret name belongs in location or context; the leaked value should be classified by the underlying credential type when recognizable.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.