Okta
Oktaidentity4 credentials
SSWS API Token
okta / ssws-api-token
Okta API tokens authenticate requests to Okta APIs. Okta documents that callers supply the token in the HTTP Authorization header with the SSWS authentication scheme.
Location
AuthorizationSSWS token used for Okta API requests
OKTA_API_TOKEN, OKTA_TOKEN.env files, Terraform provider config, automation config, and deployment manifests
CI/CD variables, cloud secret managers, and identity automation secrets
Okta automation scripts, tests, examples, and committed IaC
API client traces, Terraform logs, and CI output
Notes
Okta recommends scoped OAuth 2.0 access tokens over proprietary SSWS API tokens where possible. SSWS token privilege is tied to the creating user's permissions and network restrictions.
OAuth Service App Private Key
okta / oauth-service-app-private-key
Okta service apps can authenticate to the org authorization server with a public/private key pair. Okta documents creating and signing a JSON Web Token using the private key to obtain scoped OAuth access tokens.
Looks like
pattern-----BEGIN (?:RSA |EC |)PRIVATE KEY-----Location
PEM/JWK files, OAuth service app config, Terraform variables, and deployment manifests
OKTA_PRIVATE_KEY, OKTA_CLIENT_PRIVATE_KEYcloud KMS, secret managers, CI/CD variables, and platform app secrets
service app examples, tests, and accidentally committed key material
Notes
The registered public key is not secret, but the private key can mint client assertions for the service app and should be stored server-side.
OAuth Client Secret
okta / oauth-client-secret
Okta OIDC and OAuth clients can use client secret authentication depending on the application type and client authentication method. Okta documents switching service apps between client secret and public/private key authentication methods.
Location
OKTA_CLIENT_ID, OKTA_CLIENT_SECRETOIDC client config, .env files, backend settings, and deployment manifests
cloud secret managers, CI/CD variables, and platform app secrets
OIDC examples, tests, Terraform files, and committed configuration
token request traces and OAuth troubleshooting logs
Notes
Client secret exposure can allow impersonation of the Okta OAuth client in token flows that accept client_secret authentication.
User Password
okta / user-password
Okta Authentication API primary authentication validates a user's primary password credential. Okta documents trusted applications sending username and password in the authentication transaction, optionally with an SSWS token.
Looks like
pattern"password"\s*:\s*"[^"\r\n]+"Location
/api/v1/authnAuthentication API primary authentication endpoint
request dumps, proxy logs, and failed authentication traces if bodies are logged
test fixtures, examples, and scripts containing sample user credentials
Notes
This is an ordinary user-defined password flow, not a shipped default. Okta account access is further shaped by MFA, policies, and app assignments.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.