JFrog Artifactory
JFrogCI/CD3 credentials
Access Token
jfrog-artifactory / access-token
JFrog Platform supports access tokens for authentication and authorization across JFrog services. JFrog administration docs cover access tokens as a central security mechanism.
Location
AuthorizationBearer token used for JFrog Platform and Artifactory APIs
JFrog access service database and token metadata stores
JFROG_ACCESS_TOKEN, ARTIFACTORY_ACCESS_TOKENjfrog CLI config, build tool settings, .env files, and CI manifests
CI/CD variables, build platform secrets, cloud secret managers, and vault entries
pipelines, build scripts, tests, and committed CLI configs
build logs, API client traces, and CI output
Notes
Token privileges depend on scopes, audience, user/service identity, and expiration.
Legacy API Key
jfrog-artifactory / api-key
JFrog Artifactory historically supported API keys, and current JFrog docs distinguish API keys from access tokens. Legacy API keys may still appear in build and deployment automation.
Location
X-JFrog-Art-ApiArtifactory API key header
ARTIFACTORY_API_KEY, JFROG_API_KEYMaven/Gradle/npm/pip build config, jfrog CLI config, and .env files
CI/CD variables, build secrets, and cloud secret managers
build scripts, dependency manager config, tests, and committed examples
package manager debug logs and CI traces
Notes
Prefer access tokens where supported, but leaked API keys remain useful bearer credentials in older deployments.
Master Key / Join Key / Database Password
jfrog-artifactory / master-join-key-database
Self-hosted JFrog Platform deployments use sensitive shared keys and database credentials for node clustering, encryption, and persistence. Administration docs include centrally securing passwords and changing the Postgres database password.
Location
system.yaml, db.properties, artifactory.config.xml, and deployment manifests
JF_SHARED_DATABASE_PASSWORD, JF_SHARED_SECURITY_MASTERKEY, JF_SHARED_SECURITY_JOINKEYKubernetes Secrets, Helm secrets, cloud secret managers, and vault entries
committed system.yaml, Helm values, and Docker Compose files
server backups and container images containing configuration
startup logs and support bundles
Notes
These secrets can enable node impersonation, decryption of stored secrets, or direct database access depending on which value is exposed.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.