lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Pinecone

Pineconedatabase6 credentials

Credentials6 documented
01

Pinecone API Key

pinecone / api-key

Pinecone API keys authenticate requests to Pinecone Data Plane and Control Plane APIs. The official quickstart and SDK examples use PINECONE_API_KEY, and the API reference documents API-key authentication for Pinecone requests.

user definedgenerated on installsecretAPI key

Location

http header
Api-Key, X-Pinecone-API-Key, Authorization

Pinecone REST, SDK, gateway, and proxy request authentication contexts

environment
PINECONE_API_KEY
config file
.env, .env.local, .env.production, pinecone.yml, pinecone.yaml, config.yaml, config.yml, docker-compose.yml, compose.yml, values.yaml, deployment.yaml, notebook.ipynb

Project-local, notebook, container, Kubernetes, Helm, and application configuration files

secret store

Kubernetes Secrets, Docker secrets, CI/CD variables, cloud secret managers, hosted app config vars, IDE/agent secrets, and password vaults

source code

Python/TypeScript/Java/Go clients, notebooks, RAG apps, LangChain/LlamaIndex integrations, MCP servers, tests, examples, and committed deployment code

logs

API debug logs, SDK traces, notebook output, CI logs, proxy logs, exception reports, and support bundles

Notes

Pinecone key values are opaque and no stable public prefix is documented. Scanner logic should prioritize env/header/client-argument context rather than value shape. PINECONE_TOKEN and host/environment variables were omitted from the scanner-facing environment location because the sourced docs emphasize PINECONE_API_KEY as the credential value; host, index, namespace, and project IDs are context rather than secrets.

02

Service Account OAuth Client Secret / Access Token

pinecone / service-account-oauth-secret

Pinecone Admin API service-account workflows use OAuth token creation at login.pinecone.io. Client credentials and resulting access tokens authorize Admin API requests such as project, API-key, and organization management.

user definedgenerated on installsecrettoken

Location

http header
Authorization

Bearer access token used for Pinecone Admin API requests

public interface
https://login.pinecone.io/oauth/token, /oauth/token

Pinecone OAuth token endpoint contexts

environment
PINECONE_CLIENT_SECRET, PINECONE_SERVICE_ACCOUNT_SECRET, PINECONE_ACCESS_TOKEN
config file
.env, .env.local, .env.production, pinecone.yml, pinecone.yaml, config.yaml, config.yml, docker-compose.yml, compose.yml, values.yaml, deployment.yaml

Admin automation, service-account, and deployment configuration files

secret store

Kubernetes Secrets, Docker secrets, CI/CD variables, cloud secret managers, admin automation vaults, and password vaults

source code

admin automation scripts, Terraform/Pulumi code, CI workflows, tests, examples, and committed service-account clients

logs

OAuth token exchange logs, Admin API traces, CI logs, proxy logs, and support bundles

Notes

Service-account secrets and access tokens are distinct from regular project API keys; both can be high-impact because they may create or revoke keys. Client and service-account IDs are not listed as credential-value locations; the client secret, service-account secret, and access token are the secret values.

03

Pinecone CLI / Target Context Credential

pinecone / cli-and-target-context

Pinecone CLI and IDE/agent integrations store target context and authenticate before selecting projects, indexes, or databases. Local config and agent workspace files may contain API keys, target hosts, project identifiers, or generated snippets from the console.

user definedgenerated on installsecretAPI key

Location

environment
PINECONE_API_KEY
config file
mcp.json, claude_desktop_config.json, cursor.json, settings.json

IDE, MCP, and workspace configuration files that may contain Pinecone API keys or generated target snippets. Pinecone CLI target files can also exist in user config directories, but exact filenames were not confirmed.

config file
mcp.json, claude_desktop_config.json, cursor.json, settings.json

IDE, MCP, and workspace configuration files that may contain Pinecone API keys or generated target snippets. Pinecone CLI target files can also exist in user config directories, but exact filenames were not confirmed.

secret store

IDE secret stores, OS keychains, CI/CD variables, cloud secret managers, and password vaults

source code

agent skill configs, MCP servers, AI coding tool snippets, notebooks, examples, and committed workspace files

logs

CLI command output, IDE logs, agent logs, MCP traces, and CI output

Notes

The target context may not be secret by itself, but it often appears next to Pinecone API keys or service-account tokens.

04

Pinecone Assistant / Hosted Model API Key

pinecone / assistant-and-hosted-model-api-key

Pinecone Assistant and hosted inference APIs use Pinecone authentication to upload files, query assistants, generate embeddings, rerank, and manage assistant projects. Keys used in these contexts can expose assistant data, context snippets, and hosted-model usage.

user definedgenerated on installsecretAPI key

Location

http header
Api-Key, X-Pinecone-API-Key, Authorization

Pinecone Assistant, inference, embedding, and rerank API request contexts

environment
PINECONE_API_KEY, PINECONE_ASSISTANT_API_KEY
public interface
/assistant, /assistant/chat, /assistant/files, /embed, /rerank, /models

Pinecone Assistant and hosted inference endpoint contexts

config file
.env, .env.local, .env.production, assistant.yaml, assistant.yml, pinecone.yml, pinecone.yaml, config.yaml, config.yml, notebook.ipynb

Assistant, hosted model, notebook, and app configuration files

secret store

Kubernetes Secrets, Docker secrets, CI/CD variables, hosted app config vars, cloud secret managers, and password vaults

source code

assistant clients, RAG apps, notebooks, examples, tests, frontend/backend code, and committed demos

logs

assistant chat traces, file upload logs, inference request logs, notebook output, proxy logs, and support bundles

Notes

Pinecone Assistant can store files, snippets, and conversation context; API keys protecting it can expose more than vector index metadata.

05

Embedding / RAG Integration Provider API Key

pinecone / integration-provider-api-key

Pinecone applications commonly combine Pinecone keys with embedding, LLM, object-store, and data-source credentials. These are not Pinecone-native secrets, but Pinecone integrations often store them beside Pinecone config.

user definedgenerated on installsecretAPI key

Location

environment
OPENAI_API_KEY, ANTHROPIC_API_KEY, COHERE_API_KEY, VOYAGE_API_KEY, JINA_API_KEY, MISTRAL_API_KEY, GOOGLE_API_KEY, GEMINI_API_KEY, HUGGINGFACEHUB_API_TOKEN, HF_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
config file
.env, .env.local, .env.production, docker-compose.yml, compose.yml, values.yaml, deployment.yaml, config.yaml, config.yml, notebook.ipynb

Pinecone RAG, embedding, data-ingestion, and deployment configuration files

secret store

Kubernetes Secrets, Docker secrets, CI/CD variables, cloud secret managers, hosted app config vars, and password vaults

source code

embedding pipelines, LangChain/LlamaIndex apps, notebooks, data ingestion jobs, tests, examples, and committed application code

logs

embedding API errors, ingestion traces, notebook output, CI logs, and support bundles

Notes

Keep provider-specific token shapes in provider templates where available; this block captures the product-local storage context for Pinecone deployments.

06

Vector Index / Namespace / Import Data Leakage

pinecone / vector-index-and-namespace-data-leakage

Pinecone indexes, namespaces, records, metadata, imports, backups, and assistant context can contain proprietary content, PII, embedded secrets, retrieval context, or sensitive tenant/project identifiers.

user definedgenerated on installcontext dependentsecret value

Location

public interface
/vectors/upsert, /query, /vectors/fetch, /vectors/update, /vectors/delete, /describe_index_stats, /records/upsert, /namespaces, /bulk/imports

Pinecone data-plane and import endpoint contexts that can expose records, metadata, and namespace data

environment
PINECONE_INDEX, PINECONE_NAMESPACE, PINECONE_PROJECT_ID, PINECONE_HOST, PINECONE_INDEX_HOST
config file
.env, .env.local, .env.production, import.yaml, import.yml, pinecone.yml, pinecone.yaml, config.yaml, config.yml, notebook.ipynb

Index, namespace, import, backup, and RAG application configuration files

database

vector IDs, records, metadata, namespace names, import records, assistant files, and retrieval context stored in Pinecone projects

artifact

vector export files, import manifests, backups, parquet/json/jsonl/csv datasets, notebook exports, support bundles, and model/RAG demo archives

logs

query traces, retrieved document logs, import logs, embedding logs, application debug logs, notebook output, and backup/restore output

Notes

Treat this as context-dependent sensitive data. Scanner hits should identify places where Pinecone-connected apps expose data even when no credential value is present.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.