lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Algolia

Algoliadatabase4 credentials

Credentials4 documented
01

Algolia User / Administrator Password

algolia / user-password

Algolia users and administrators authenticate to the Algolia dashboard, account administration, SSO, and API-key management surfaces with user-defined or federated credentials.

user definedsecretusername/password

Location

public interface
/users/sign_in, /account, /apps, /api-keys

Algolia dashboard, application, and API key management contexts

secret store

Password managers, enterprise identity providers, break-glass account vaults, and managed credential stores

logs

Sign-in logs, audit events, browser exports, dashboard actions, and support traces

Notes

Catalogs ordinary user/admin credential locations; no static Algolia default password is modeled.

02

Algolia API Key

algolia / api-key

Algolia API keys authorize Search, Admin, Crawler, and dashboard operations. Official CLI/source behavior uses ALGOLIA_API_KEY, with ALGOLIA_ADMIN_API_KEY retained as a deprecated legacy/admin key variable. The CLI can also store legacy profile keys in ~/.config/algolia/config.toml and newer credentials in the OS keychain with state metadata in state.toml.

generated on installuser definedsecretAPI key

Looks like

example
example

Algolia API keys are commonly 32 hex-like characters; use only with Algolia-specific context

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
pattern

Contextual Algolia API-key assignment compatible with Betterleaks/Gitleaks algolia-api-key rule

(?i)(?:algolia)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)

Location

environment
ALGOLIA_API_KEY, ALGOLIA_ADMIN_API_KEY

Official CLI/source supports ALGOLIA_API_KEY; ALGOLIA_ADMIN_API_KEY is deprecated but still recognized by the CLI

http header
X-Algolia-API-Key

Algolia API key header used by Algolia clients and REST APIs

public interface
/account/api-keys, /apps, /dashboard

Algolia dashboard and API-key management contexts

config file
~/.config/algolia/config.toml

Algolia CLI legacy profile config that can contain api_key, admin_api_key, and crawler_api_key fields

config file
%USERPROFILE%\.config\algolia\config.toml

Windows home-relative equivalent of the Algolia CLI config path used by the CLI source logic

config file
.env, algolia.config.js, algolia.config.ts, algolia.json, search.config.js, config.js, config.ts

Project-local Algolia SDK/application configuration files where ALGOLIA_API_KEY may appear

secret store

OS keychain, CI/CD variables, cloud secret managers, platform secret stores, password vaults, and integration vaults

source code

Application code, indexing scripts, crawler configs, tests, notebooks, examples, and infrastructure-as-code

logs

API debug logs, indexing jobs, crawler logs, CI output, exception traces, and support bundles

Notes

ALGOLIA_APPLICATION_ID is required context but not secret material, so it is not listed as a credential-value environment location. The CLI's state.toml mainly tracks selected applications and key UUIDs; actual new-model secrets are stored in the OS keychain.

03

Search-Only API Key

algolia / search-only-api-key

Algolia search-only API keys are commonly embedded in browser/mobile clients. They are less sensitive than admin keys but still authorize scoped search operations and can expose indexes, filters, and usage patterns.

generated on installuser definedsecretAPI key

Looks like

example
example

Use only with Algolia client/config context to avoid matching arbitrary hex strings

bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

Location

http header
X-Algolia-API-Key

Algolia search API key header in client requests

http response

Built frontend bundles, SSR responses, and generated config payloads may expose search-only keys

config file
.env, algolia.config.js, algolia.config.ts, search.config.js, next.config.js, vite.config.js

Frontend and server-rendered application configuration files that may contain search-only keys

source code

Browser/mobile applications, frontend bundles, search widgets, indexing examples, tests, and docs

logs

Frontend build logs, API traces, crawler logs, and support bundles

Notes

Search-only keys are often intentionally client-exposed; triage should consider ACLs, indexes, restrictions, and whether an admin key was exposed instead.

04

Crawler API Key

algolia / crawler-api-key

Algolia CLI and crawler workflows can store a crawler API key alongside the application API key. Current CLI source stores secrets in the OS keychain and legacy profiles in config.toml.

generated on installuser definedsecretAPI key

Looks like

pattern
pattern

Contextual crawler API-key assignment in Algolia CLI/profile or crawler configuration

(?i)(crawler[_-]?api[_-]?key|algolia(?:[ \t\w.-]{0,20})crawler)[\s'"]{0,3}(?:=|:|=>|,)[\x60'"\s=]{0,5}([a-z0-9]{32})(?:\\?['"\x60]|[\s;]|\\[nr]|$)

Location

config file
~/.config/algolia/config.toml

Legacy Algolia CLI profile file can contain crawler_api_key

config file
%USERPROFILE%\.config\algolia\config.toml

Windows home-relative equivalent of the Algolia CLI legacy profile file

config file
.env, algolia.config.js, crawler.config.js, crawler.json, config.js, config.ts

Project-local crawler and indexing configuration files

secret store

OS keychain, CI/CD variables, cloud secret managers, and indexing pipeline secret stores

source code

Crawler configs, indexing jobs, scripts, tests, and automation repositories

logs

Crawler logs, indexing traces, CI output, and support bundles

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.