lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Gitea

GiteaCI/CD4 credentials

Credentials4 documented
01

Local User Password

gitea / local-user-password

Gitea local users authenticate to the web UI, Git over HTTP, SSH workflows, and APIs. The first admin is created during installation or user provisioning.

user definedgenerated on installsecretusername/password

Location

public interface
Gitea web UI, Git HTTP, SSH, and API
database

Gitea user table and password hash state

config file
app.ini

security, auth, mailer, and database configuration

secret store

password managers and deployment vaults

source code

Docker Compose files, Helm values, and integration tests

02

Personal Access Token / OAuth Token

gitea / personal-access-token

Gitea users can create access tokens for API and Git operations. OAuth2 application secrets and tokens are also stored for integrations.

generated on installuser definedsecrettoken

Location

http header
Authorization

token or Bearer token used by Gitea API clients

database

access token and OAuth application/token tables

config file

CLI configs, integration scripts, .netrc, and .env files

environment
GITEA_TOKEN, GITEA_ACCESS_TOKEN
secret store

CI/CD variables and vault entries

source code

automation scripts, GitHub Actions, and tests

logs

API debug logs and CI output

03

Internal Token, Secret Key, JWT and LFS Secrets

gitea / internal-security-secrets

Gitea app.ini contains generated security values such as SECRET_KEY, INTERNAL_TOKEN, JWT_SECRET, and LFS_JWT_SECRET used for internal signing, sessions, and service communication.

generated on installuser definedsecretsecret value

Looks like

pattern
pattern

Gitea app.ini security secret assignment

^(SECRET_KEY|INTERNAL_TOKEN|JWT_SECRET|LFS_JWT_SECRET)\s*=\s*\S+

Location

config file
custom/conf/app.ini

Gitea security and server secrets

environment
GITEA__security__SECRET_KEY, GITEA__security__INTERNAL_TOKEN
secret store

Kubernetes Secrets, Docker secrets, and configuration vaults

artifact

application backups and support bundles

04

Database, Mailer, Webhook, and Integration Secrets

gitea / database-mailer-webhook-secrets

Gitea deployments store database passwords, SMTP credentials, webhook secrets, OAuth app client secrets, and external auth bind credentials.

user definedsecretsecret value

Location

config file
app.ini

database, mailer, webhook, OAuth2, and auth source sections

database

OAuth applications, webhook secrets, and external login source configuration

secret store

deployment secrets and cloud secret managers

source code

IaC manifests and committed sample configs

logs

mailer, webhook, and auth source debug logs

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.