Rocket.Chat
Rocket.Chatcollaboration3 credentials
Provisioned Admin Password
rocket-chat / admin-provisioning-password
Rocket.Chat deployment environment variables can provision an admin user during deployment. Rocket.Chat documents deployment variables for configuring and provisioning workspaces without relying on the UI.
Location
ADMIN_USERNAME, ADMIN_PASS, ADMIN_EMAIL, OVERWRITE_SETTING_Accounts_AdminUsernameRocket.Chat login and administration UIMongoDB database storing users, credentials, sessions, and settings
Docker/Kubernetes secrets, cloud secret managers, and deployment vaults
Docker Compose files, Helm values, tests, and committed deployment manifests
startup logs and provisioning output
Notes
Admin credentials are deployment-specific. Do not treat documentation examples as shipped defaults.
Personal Access Token
rocket-chat / personal-access-token
Rocket.Chat supports personal access tokens for API use. Tokens are user-scoped credentials for scripts, bots, and integrations.
Location
X-Auth-Token, AuthorizationRocket.Chat REST API token or bearer authentication context
MongoDB records storing user tokens and sessions
ROCKETCHAT_AUTH_TOKEN, ROCKETCHAT_TOKENbot config, integration config, .env files, and deployment manifests
bot secrets, CI/CD variables, and cloud secret managers
bot scripts, tests, and committed REST clients
REST API traces and bot logs
Notes
Token permissions follow the owning Rocket.Chat user and workspace roles.
MongoDB Credentials
rocket-chat / mongodb-credentials
Rocket.Chat stores workspace state in MongoDB and deployments configure MongoDB connection URIs through environment variables. Authenticated URIs can contain database usernames and passwords.
Looks like
patternmongodb(?:\+srv)?://[^\s:@]+:[^\s@]+@[^\s/]+Location
MONGO_URL, MONGO_OPLOG_URLDocker Compose files, systemd units, Helm values, and deployment manifests
Kubernetes Secrets, cloud secret managers, and database password vaults
committed deployment configs and test fixtures
startup logs and MongoDB connection troubleshooting output
Notes
MongoDB access can expose users, password hashes, tokens, messages, files metadata, integrations, and workspace settings.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.