Contentful
Contentfulsaas3 credentials
Content Delivery / Preview API Token
contentful / delivery-preview-api-token
Contentful Content Delivery and Preview APIs use access tokens generated from API keys in the Contentful web app. Contentful documents sending the token as access_token query parameter or, preferably, Authorization: Bearer.
Location
AuthorizationBearer token used for Contentful API requests
access_tokenquery parameter form accepted by Contentful APIs
CONTENTFUL_ACCESS_TOKEN, CONTENTFUL_DELIVERY_TOKEN, CONTENTFUL_PREVIEW_TOKENsite generator config, CMS integration config, .env files, and deployment manifests
CI/CD variables, hosting platform secrets, and cloud secret managers
frontend builds, static-site config, examples, and committed CMS clients
build logs, API client traces, and failed preview requests
Notes
Delivery tokens are often used in builds and runtimes; Preview tokens can expose draft content and should be treated as more sensitive.
Content Management Personal Access Token
contentful / management-api-pat
Contentful Content Management API access can use a personal access token. Contentful documents getting a personal access token and authenticating API requests with Bearer tokens.
Location
AuthorizationBearer token used for Content Management API calls
CONTENTFUL_MANAGEMENT_TOKEN, CONTENTFUL_CMA_TOKEN, CONTENTFUL_PATmigration tooling config, .env files, deployment manifests, and CMS automation settings
CI/CD variables, cloud secret managers, and release automation secrets
migration scripts, seed scripts, tests, and committed management clients
content migration logs, API traces, and CI output
Notes
Management tokens can create, update, and delete Contentful resources according to the user's permissions and selected spaces.
OAuth Access Token
contentful / oauth-token
Contentful supports OAuth tokens for applications. Contentful documents OAuth tokens as another way to authenticate API calls using the same Bearer header mechanism.
Location
AuthorizationBearer OAuth access token
OAuth token endpoint responses
integration OAuth installation token stores
local OAuth examples and application config
encrypted app token stores and cloud secret managers
OAuth callback and token exchange logs
Notes
OAuth token permissions depend on the authorized user, organization, spaces, and scopes granted to the app.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.