lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Vercel

Vercelcloud2 credentials

Credentials2 documented
01

API Token

vercel / api-token

Vercel API and CLI automation use account tokens. Vercel documentation includes token management and CLI commands that operate with tokens for deployments, teams, projects, and environment variables.

user definedsecrettoken

Location

http header
Authorization

Bearer token used for Vercel API requests

environment
VERCEL_TOKEN
config file

Vercel CLI config, CI pipeline config, .env files, and deployment manifests

secret store

GitHub Actions secrets, CI/CD variables, cloud secret managers, and password managers

source code

deployment scripts, tests, and accidentally committed CLI configs

logs

CI logs, CLI traces, and API client debug output

Notes

Token blast radius depends on account/team permissions and scopes selected at token creation.

02

Project Environment Variable Secret

vercel / project-environment-secret

Vercel projects store environment variables and secrets used by builds, serverless functions, and deployments. Vercel CLI env commands manage project environment variables.

user definedsecretsecret value

Location

secret store

Vercel project environment variables and encrypted deployment secrets

environment

runtime and build-time environment variables exposed to Vercel functions/builds

config file

.env, .env.local, vercel.json, and CI pipeline configuration

source code

accidentally committed .env files, tests, and examples

logs

build logs and runtime logs if applications print environment values

Notes

Vercel environment secrets often contain downstream database URLs, API tokens, OAuth secrets, and cloud credentials.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.