lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Firebase

Googlecloud3 credentials

Credentials3 documented
01

Firebase Web API Key

firebase / web-api-key

Firebase web and mobile configuration includes API keys that identify the Firebase project and app to Firebase services. Firebase documents that Firebase API keys are public by design and do not need to be treated as secrets when restricted to Firebase services.

generated on installpublic by designAPI key

Looks like

example
example

Google/Firebase API key prefix used in Firebase app configuration

AIzaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
FIREBASE_API_KEY, NEXT_PUBLIC_FIREBASE_API_KEY, VITE_FIREBASE_API_KEY
config file

firebaseConfig objects, google-services.json, GoogleService-Info.plist, .env files, and frontend build config

source code

web bundles, mobile apps, examples, and committed Firebase initialization code

logs

frontend build output and client SDK diagnostics

Notes

API keys identify the project but do not authorize access by themselves; Firebase Security Rules, Google Cloud IAM, and App Check provide authorization controls. Misconfigured restrictions still deserve review.

02

Service Account Private Key

firebase / service-account-private-key

Firebase Admin SDK server environments can authenticate with a Firebase Admin SDK service account. Firebase documents using a service account to communicate with Firebase from trusted server code.

generated on installsecretkey pair

Looks like

pattern
pattern

PEM private_key field inside a Google service account JSON file

-----BEGIN PRIVATE KEY-----

Location

config file
serviceAccountKey.json, firebase-adminsdk-*.json

downloaded service account JSON credentials for server SDKs

environment
GOOGLE_APPLICATION_CREDENTIALS, FIREBASE_SERVICE_ACCOUNT, GOOGLE_CREDENTIALS
secret store

cloud secret managers, CI/CD variables, Kubernetes Secrets, and platform app secrets

source code

accidentally committed service account JSON, tests, and deployment scripts

logs

CI output or stack traces that print credential JSON

Notes

Service account private keys can access Firebase and Google Cloud resources according to IAM roles. Prefer Application Default Credentials or workload identity where possible.

03

Firebase CLI Token

firebase / cli-token

Firebase CLI workflows can use login credentials or CI tokens to authorize project operations. Firebase CLI documentation describes authentication for deployment and project-management commands.

user definedsecrettoken

Location

environment
FIREBASE_TOKEN
config file

CI configuration, local Firebase CLI credential stores, and deployment manifests

secret store

CI/CD variables and hosted deployment secrets

source code

legacy deploy scripts and accidentally committed CI examples

logs

deployment logs and CI traces

Notes

Firebase CLI tokens authorize deployment and administrative actions for the projects reachable by the authenticated Google account or service setup.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.