lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Anthropic Claude API

AnthropicAI API2 credentials

Credentials2 documented
01

API Key

anthropic / api-key

Anthropic Claude API requests authenticate with an API key from the Anthropic Console. Anthropic documents x-api-key as the API-key header and also supports Authorization bearer tokens for short-lived workload identity access tokens.

user definedsecretAPI key

Looks like

example
example

Anthropic Console API key form commonly seen for Claude API keys

sk-ant-api03-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
ANTHROPIC_API_KEY
http header
x-api-key

Anthropic API key header

source code

application config, scripts, notebooks, examples, committed .env files

config file

.env, local shell profiles, deployment manifests, server config

secret store

CI/CD variables, cloud secret managers, platform environment stores

logs

HTTP client debug logs that include x-api-key or Authorization headers

Notes

API keys and short-lived workload identity bearer tokens are different credential types. API keys are long-lived bearer secrets from Console; workload identity bearer tokens are obtained through the OAuth token endpoint and should be triaged by their identity provider and lifetime.

02

Workload Identity Bearer Token

anthropic / workload-identity-bearer-token

Anthropic supports Authorization: Bearer tokens for Workload Identity Federation. These are short-lived access tokens obtained from the Anthropic OAuth token endpoint rather than static Console API keys.

generated on installsecrettoken

Location

http header
Authorization

Bearer token used for Anthropic Workload Identity Federation requests

logs

workload identity exchange logs and HTTP client debug output

environment

temporary environment variables used by workloads

secret store

workload runtime token caches and orchestration platforms

Notes

These tokens are intentionally short-lived and opaque. Exposure still matters during the token lifetime, and the upstream identity federation rule should be reviewed if tokens appear outside the intended workload.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.