lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Okta

Oktaidentity4 credentials

Credentials4 documented
01

SSWS API Token

okta / ssws-api-token

Okta API tokens authenticate requests to Okta APIs. Okta documents that callers supply the token in the HTTP Authorization header with the SSWS authentication scheme.

user definedsecrettoken

Location

http header
Authorization

SSWS token used for Okta API requests

environment
OKTA_API_TOKEN, OKTA_TOKEN
config file

.env files, Terraform provider config, automation config, and deployment manifests

secret store

CI/CD variables, cloud secret managers, and identity automation secrets

source code

Okta automation scripts, tests, examples, and committed IaC

logs

API client traces, Terraform logs, and CI output

Notes

Okta recommends scoped OAuth 2.0 access tokens over proprietary SSWS API tokens where possible. SSWS token privilege is tied to the creating user's permissions and network restrictions.

02

OAuth Service App Private Key

okta / oauth-service-app-private-key

Okta service apps can authenticate to the org authorization server with a public/private key pair. Okta documents creating and signing a JSON Web Token using the private key to obtain scoped OAuth access tokens.

user definedsecretkey pair

Looks like

pattern
pattern

PEM private key used to sign Okta OAuth client assertions

-----BEGIN (?:RSA |EC |)PRIVATE KEY-----

Location

config file

PEM/JWK files, OAuth service app config, Terraform variables, and deployment manifests

environment
OKTA_PRIVATE_KEY, OKTA_CLIENT_PRIVATE_KEY
secret store

cloud KMS, secret managers, CI/CD variables, and platform app secrets

source code

service app examples, tests, and accidentally committed key material

Notes

The registered public key is not secret, but the private key can mint client assertions for the service app and should be stored server-side.

03

OAuth Client Secret

okta / oauth-client-secret

Okta OIDC and OAuth clients can use client secret authentication depending on the application type and client authentication method. Okta documents switching service apps between client secret and public/private key authentication methods.

generated on installsecretsecret value

Location

environment
OKTA_CLIENT_ID, OKTA_CLIENT_SECRET
config file

OIDC client config, .env files, backend settings, and deployment manifests

secret store

cloud secret managers, CI/CD variables, and platform app secrets

source code

OIDC examples, tests, Terraform files, and committed configuration

logs

token request traces and OAuth troubleshooting logs

Notes

Client secret exposure can allow impersonation of the Okta OAuth client in token flows that accept client_secret authentication.

04

User Password

okta / user-password

Okta Authentication API primary authentication validates a user's primary password credential. Okta documents trusted applications sending username and password in the authentication transaction, optionally with an SSWS token.

user definedsecretusername/password

Looks like

pattern
pattern

Okta Authentication API JSON password field; the password value itself has no Okta-specific shape

"password"\s*:\s*"[^"\r\n]+"

Location

public interface
/api/v1/authn

Authentication API primary authentication endpoint

logs

request dumps, proxy logs, and failed authentication traces if bodies are logged

source code

test fixtures, examples, and scripts containing sample user credentials

Notes

This is an ordinary user-defined password flow, not a shipped default. Okta account access is further shaped by MFA, policies, and app assignments.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.