lolcreds

Public credential defaults and exposure patterns for authorized security testing.

GitHub

GitHub, Inc.CI/CD9 credentials

Credentials9 documented
01

Classic Personal Access Token

github / classic-personal-access-token

Classic personal access tokens authenticate GitHub API and Git-over-HTTPS requests as the user that created them. GitHub's token format uses the ghp_ prefix for this token type.

user definedsecrettoken

Looks like

example
example
ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

source code

git remote URLs, scripts, committed .env files, CI configuration

environment
GITHUB_TOKEN, GH_TOKEN, GITHUB_PAT
config file
~/.git-credentials

Git credential helper storage for HTTPS remotes

Notes

Scope is selected when the token is created. A classic PAT with broad repo or admin scopes should be treated as account-level access to the user's reachable repositories and organization resources.

02

Fine-Grained Personal Access Token

github / fine-grained-personal-access-token

Fine-grained personal access tokens authenticate as a user but are constrained to selected repositories and permissions. GitHub exposes them with the github_pat_ prefix.

user definedsecrettoken

Looks like

example
example
github_pat_XXXXXXXXXXXXXXXXXXXXXX_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

source code

scripts, local tooling config, package publishing automation

environment
GITHUB_TOKEN, GH_TOKEN, GITHUB_PAT
secret store

CI/CD secret stores and deployment platforms that call GitHub

Notes

Fine-grained PATs reduce blast radius compared with classic PATs, but the token is still bearer material. Treat a leaked token according to the repository and permission set shown in GitHub's token settings.

03

OAuth Access Token

github / oauth-access-token

OAuth applications receive GitHub access tokens after a user completes an OAuth authorization flow. GitHub's token format uses the gho_ prefix for OAuth access tokens.

generated on installsecrettoken

Looks like

example
example
gho_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

database

OAuth application databases and session stores

config file

application config and local OAuth client caches

logs

callback URLs or debug logs in poorly configured OAuth clients

Notes

The token's permissions are determined by the OAuth app scopes granted by the user. A leaked OAuth token lets an attacker act through that authorized application context until the grant is revoked or expires.

04

GitHub App User-to-Server Token

github / github-app-user-token

GitHub Apps can authenticate on behalf of a user and receive a user-to-server access token. GitHub's token format uses the ghu_ prefix for this token type.

generated on installsecrettoken

Looks like

example
example
ghu_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

database

GitHub App backend token stores

config file

local app development caches and service configuration

logs

GitHub App OAuth callback or API debug logs

Notes

Access reflects both the GitHub App's permissions and the authorizing user's access. The corresponding refresh token, when present, is a separate long-lived credential and should be rotated independently.

05

GitHub App Installation Token

github / github-app-installation-token

GitHub Apps exchange a signed app JWT for an installation access token scoped to repositories and permissions granted to that installation. GitHub's token format uses the ghs_ prefix for server-to-server tokens.

generated on installsecrettoken

Looks like

example
example
ghs_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
GITHUB_TOKEN

automatic token injected into GitHub Actions jobs

database

GitHub App backend cache for installation tokens

logs

API client debug output and Actions logs when printed

Notes

Installation tokens are short-lived but high-value. In GitHub Actions, the built-in GITHUB_TOKEN is created for each workflow job and expires when the job completes or after GitHub's documented maximum lifetime.

06

GitHub App Refresh Token

github / github-app-refresh-token

GitHub Apps that use expiring user access tokens receive refresh tokens to mint replacement user tokens. GitHub's token format uses the ghr_ prefix for refresh tokens.

generated on installsecrettoken

Looks like

example
example
ghr_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

database

GitHub App backend storage paired with user access tokens

config file

local development token caches

Notes

A refresh token is persistence material for a GitHub App user grant. Rotate it with the associated user access token after exposure.

07

GitHub App Private Key

github / github-app-private-key

GitHub Apps use a downloaded private key to sign JSON Web Tokens for app authentication. The private half of the key is the credential that allows minting app JWTs and then installation access tokens.

user definedsecretkey pair

Looks like

pattern
pattern

identified by the PEM private-key header; GitHub App private keys are downloaded as private-key files, so a full example is omitted

-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----

Location

config file

GitHub App .pem files on application servers and developer laptops

secret store

CI/CD or cloud secret stores used by GitHub App backends

source code

application repositories that accidentally commit the .pem file

Notes

The private key does not directly access repositories, but it can sign app JWTs that request installation tokens for every installation and permission granted to the GitHub App.

08

Deploy Key

github / deploy-key

A deploy key is an SSH key attached directly to one repository. GitHub stores the public key; the private key is held by the server or CI job that needs repository access.

user definedsecretkey pair

Looks like

pattern
pattern

identified by the private-key header line; a full PEM/OpenSSH key is multi-line and not useful as a compact example

-----BEGIN (OPENSSH|RSA|EC|DSA) PRIVATE KEY-----

Location

config file
~/.ssh/*_deploy_key

per-repository deploy key files used by Git SSH config aliases

secret store

CI/CD variables and deployment secret stores

source code

accidentally committed private keys in deployment repos

Notes

A deploy key can be read-only or read/write. Read/write deploy keys can push code to the attached repository without a user account, which makes them supply-chain sensitive even though their scope is a single repo.

09

GitHub Actions Secret

github / actions-secret

GitHub Actions secrets store arbitrary user-defined secret values for repositories, environments, and organizations. Workflows can expose those values to jobs as inputs or environment variables.

user definedsecretsecret value

Location

secret store

repository, environment, and organization Actions secrets

environment

workflow job environment variables populated from secrets.*

logs

workflow logs when a secret is printed, transformed, or bypasses masking

Notes

Actions secrets have no GitHub-specific textual shape because they are arbitrary values. Identify them by workflow context: secrets.NAME expressions, injected environment variables, or CI logs that reveal the expanded value.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.