lolcreds

Public credential defaults and exposure patterns for authorized security testing.

JFrog Artifactory

JFrogCI/CD3 credentials

Credentials3 documented
01

Access Token

jfrog-artifactory / access-token

JFrog Platform supports access tokens for authentication and authorization across JFrog services. JFrog administration docs cover access tokens as a central security mechanism.

generated on installsecrettoken

Location

http header
Authorization

Bearer token used for JFrog Platform and Artifactory APIs

database

JFrog access service database and token metadata stores

environment
JFROG_ACCESS_TOKEN, ARTIFACTORY_ACCESS_TOKEN
config file

jfrog CLI config, build tool settings, .env files, and CI manifests

secret store

CI/CD variables, build platform secrets, cloud secret managers, and vault entries

source code

pipelines, build scripts, tests, and committed CLI configs

logs

build logs, API client traces, and CI output

Notes

Token privileges depend on scopes, audience, user/service identity, and expiration.

02

Legacy API Key

jfrog-artifactory / api-key

JFrog Artifactory historically supported API keys, and current JFrog docs distinguish API keys from access tokens. Legacy API keys may still appear in build and deployment automation.

user definedsecretAPI key

Location

http header
X-JFrog-Art-Api

Artifactory API key header

environment
ARTIFACTORY_API_KEY, JFROG_API_KEY
config file

Maven/Gradle/npm/pip build config, jfrog CLI config, and .env files

secret store

CI/CD variables, build secrets, and cloud secret managers

source code

build scripts, dependency manager config, tests, and committed examples

logs

package manager debug logs and CI traces

Notes

Prefer access tokens where supported, but leaked API keys remain useful bearer credentials in older deployments.

03

Master Key / Join Key / Database Password

jfrog-artifactory / master-join-key-database

Self-hosted JFrog Platform deployments use sensitive shared keys and database credentials for node clustering, encryption, and persistence. Administration docs include centrally securing passwords and changing the Postgres database password.

generated on installuser definedsecretsecret value

Location

config file

system.yaml, db.properties, artifactory.config.xml, and deployment manifests

environment
JF_SHARED_DATABASE_PASSWORD, JF_SHARED_SECURITY_MASTERKEY, JF_SHARED_SECURITY_JOINKEY
secret store

Kubernetes Secrets, Helm secrets, cloud secret managers, and vault entries

source code

committed system.yaml, Helm values, and Docker Compose files

artifact

server backups and container images containing configuration

logs

startup logs and support bundles

Notes

These secrets can enable node impersonation, decryption of stored secrets, or direct database access depending on which value is exposed.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.