lolcreds

Public credential defaults and exposure patterns for authorized security testing.

ERPNext

Frappe Technologiesenterprise app3 credentials

Credentials3 documented
01

Administrator/User Password

erpnext / administrator-password

ERPNext and the Frappe framework use local site users, including the Administrator account created during site setup, for Desk and API login.

generated on installuser definedsecretusername/password

Location

public interface
ERPNext/Frappe Desk login and REST API
database

Frappe site database user records and password verifier fields

config file

site_config.json, bench setup files, and deployment manifests

secret store

bench passwords, Docker/Kubernetes secrets, and password managers

source code

bench automation, test fixtures, and CI configuration

logs

bench install logs and authentication traces

Notes

There is no universal ERPNext Administrator password; it is set or generated during site creation.

02

API Key and API Secret

erpnext / api-key-secret

Frappe/ERPNext users can generate API key and API secret pairs for token-based REST API access.

generated on installuser definedsecretAPI key

Looks like

pattern
pattern

Frappe token authorization value containing api_key:api_secret

token\s+[A-Za-z0-9._~-]+:[A-Za-z0-9._~-]+

Location

http header
Authorization

Token api_key:api_secret for REST API authentication

database

User records storing API key and secret material

config file

integration scripts, .env files, bench commands, and connector settings

environment
FRAPPE_API_KEY, FRAPPE_API_SECRET, ERPNEXT_API_KEY, ERPNEXT_API_SECRET
secret store

CI/CD variables, vault entries, and integration secrets

source code

ERP integrations, tests, and automation repositories

logs

HTTP traces and connector debug logs

03

Site Config and Integration Secrets

erpnext / site-and-integration-secrets

ERPNext site configuration carries database credentials, encryption keys, scheduler/webhook secrets, email account passwords, and third-party integration tokens.

generated on installuser definedsecretsecret value

Location

config file
sites/*/site_config.json

per-site database password, encryption key, and integration settings

database

DocType records for Email Account, Social Login Key, integrations, and webhooks

secret store

Docker/Kubernetes secrets and bench deployment vaults

source code

bench repo configuration and committed site backups

artifact

bench backups containing site_config.json and SQL dumps

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.