Salesforce
Salesforcesaas4 credentials
OAuth Access / Refresh Token
salesforce / oauth-access-refresh-token
Salesforce Connected Apps use OAuth flows to issue access tokens and, for supported flows, refresh tokens. Salesforce REST API requests authenticate with OAuth bearer tokens.
Location
AuthorizationBearer token used for Salesforce REST API requests
OAuth token endpoint responses containing access_token and refresh_token
connected app token stores and integration credential tables
SALESFORCE_ACCESS_TOKEN, SALESFORCE_REFRESH_TOKEN, SF_ACCESS_TOKENintegration config, local token caches, .env files, and deployment manifests
cloud secret managers, CI/CD variables, and integration platform secrets
OAuth callback logs, API client traces, and failed login output
Notes
Token blast radius depends on Connected App policies, scopes, user profile, permission sets, and session controls.
Connected App Consumer Secret
salesforce / connected-app-consumer-secret
Salesforce Connected Apps created for API integration have a consumer key and consumer secret. The consumer secret authenticates confidential OAuth clients during token exchange.
Location
SALESFORCE_CLIENT_ID, SALESFORCE_CLIENT_SECRET, SF_CLIENT_ID, SF_CLIENT_SECRETConnected App OAuth config, .env files, integration settings, and deployment manifests
cloud secret managers, CI/CD variables, and integration platform secrets
OAuth examples, middleware config, tests, and accidentally committed settings
token exchange request dumps and OAuth troubleshooting output
Notes
The consumer key identifies the Connected App; the consumer secret is confidential and can be used to impersonate the app in OAuth flows that require it.
Username / Password / Security Token
salesforce / username-password-security-token
Salesforce API integrations may use username-password OAuth or SOAP login patterns where a user's password is combined with a Salesforce security token. Salesforce documents user security tokens and OAuth username-password flows for API authentication.
Location
SALESFORCE_USERNAME, SALESFORCE_PASSWORD, SALESFORCE_SECURITY_TOKEN, SF_USERNAME, SF_PASSWORD, SF_SECURITY_TOKENETL connector config, middleware config, .env files, and deployment manifests
cloud secret managers, CI/CD variables, and iPaaS credential stores
integration scripts, data loaders, tests, and accidentally committed credentials
failed login traces, connector debug logs, and CI output
/services/oauth2/tokenOAuth username-password token endpoint context
Notes
This is a user-defined credential flow, not a shipped default. The security token is an additional Salesforce user credential commonly concatenated to the password by legacy integrations.
JWT Bearer Private Key
salesforce / jwt-bearer-private-key
Salesforce Connected Apps can use JWT bearer flow with a certificate and private key to authenticate server-to-server integrations. The private key signs the JWT assertion submitted to Salesforce.
Looks like
pattern-----BEGIN (?:RSA |EC |)PRIVATE KEY-----Location
PEM files, keystores, integration config, .env files, and deployment manifests
SALESFORCE_PRIVATE_KEY, SF_JWT_PRIVATE_KEYcloud KMS, secret managers, CI/CD variables, and integration platform secrets
JWT bearer examples, tests, and accidentally committed PEM files
JWT assertion generation debug logs and CI traces
Notes
The uploaded certificate is public verification material; the private key is the credential that can mint signed assertions for the Connected App.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.