lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Dropbox

Dropboxsaas2 credentials

Credentials2 documented
01

OAuth Access / Refresh Token

dropbox / oauth-access-refresh-token

Dropbox uses OAuth 2.0 to authorize access to user data. Dropbox documents that the OAuth flow returns an access token to the app, used in API calls with Authorization: Bearer, and supports refresh tokens for short-lived access tokens.

generated on installsecrettoken

Location

http header
Authorization

Bearer token used for Dropbox API calls

http response

OAuth token endpoint responses containing access_token and refresh_token

database

application token stores mapped to Dropbox users or teams

environment
DROPBOX_ACCESS_TOKEN, DROPBOX_REFRESH_TOKEN
config file

OAuth example config, local token caches, .env files, and integration settings

secret store

cloud secret managers, CI/CD variables, and encrypted app secrets

logs

OAuth callback logs and API client traces

Notes

Access token permissions are controlled by scopes selected for the app and authorization grant. Refresh tokens extend access until revoked.

02

App Secret

dropbox / app-secret

Dropbox apps have an app key and app secret, also called client_id and client_secret. Dropbox documents obtaining the app key and secret from the App Console when registering an app.

generated on installsecretsecret value

Location

environment
DROPBOX_APP_KEY, DROPBOX_APP_SECRET, DROPBOX_CLIENT_ID, DROPBOX_CLIENT_SECRET
config file

OAuth backend config, .env files, app config, and deployment manifests

secret store

CI/CD variables, cloud secret managers, and hosted app secrets

source code

OAuth examples, app settings, tests, and accidentally committed integration config

logs

OAuth token request dumps and troubleshooting logs

Notes

The app key identifies the app; the app secret is confidential and can be used to authenticate token exchange requests for confidential clients.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.