lolcreds

Public credential defaults and exposure patterns for authorized security testing.

OpenAI Codex

OpenAIAI API3 credentials

Credentials3 documented
01

OpenAI API Key

openai-codex / openai-api-key

Codex supports OpenAI API key authentication through OPENAI_API_KEY and auth.json.

user definedsecretAPI key

Looks like

example
example

OpenAI project or service-account API key

sk-proj-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
example

Legacy OpenAI API key form, kept after the more specific project/service-account pattern

sk-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
OPENAI_API_KEY
config file
~/.codex/auth.json, ~/.codex/config.toml, ~/.codex/.credentials.json

Default Codex home credential and config files on Unix-like systems; CODEX_HOME can relocate these files but is not itself credential material

config file
%USERPROFILE%\.codex\auth.json, %USERPROFILE%\.codex\config.toml, %USERPROFILE%\.codex\.credentials.json

Default Codex home credential and config files on Windows

config file
.codex/config.toml, .env, .env.local, .env.production, docker-compose.yml, compose.yml, devcontainer.json

Project-local Codex and container/devcontainer files that may pass OPENAI_API_KEY or provider settings

secret store

OS keychain, GitHub Actions secrets, CI/CD variables, cloud secret managers, Docker secrets, and Kubernetes Secrets

source code

Codex scripts, container wrappers, app-server config, tests, MCP configuration, and committed automation

logs

Codex logs, shell history, CI traces, debug dumps, app-server logs, and terminal transcripts

Notes

Codex source uses CODEX_HOME as a base directory override. It is intentionally not listed as a credential-value env var.

02

ChatGPT Login Token

openai-codex / chatgpt-login-token

Codex auth.json can store ChatGPT login tokens and account auth state used instead of API-key auth.

generated on installgenerated on installsecrettoken

Location

config file
~/.codex/auth.json
config file
%USERPROFILE%\.codex\auth.json
secret store

OS keychain or password vault entries used by Codex login flows

logs

Debug logs, auth troubleshooting output, terminal transcripts, and copied auth.json content

Notes

No stable public token prefix was found in Codex docs/source; use exact auth.json location and field context.

03

MCP OAuth Credential

openai-codex / mcp-oauth-credential

Codex remote MCP support may persist OAuth credentials in keyring or a CODEX_HOME-backed fallback credentials file.

generated on installsecrettoken

Location

config file
~/.codex/.credentials.json

Codex source documents fallback MCP OAuth credentials under CODEX_HOME/.credentials.json

config file
%USERPROFILE%\.codex\.credentials.json
secret store

OS keychain/keyring storage for MCP OAuth credentials

logs

MCP auth debug output and OAuth callback traces

Notes

The default CODEX_HOME is ~/.codex; user-provided CODEX_HOME can relocate this file.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.