lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Atlassian Trello

Atlassiansaas3 credentials

Credentials3 documented
01

API Token

atlassian-trello / api-token

Trello's REST API uses token-based authentication. Atlassian documents that after a user grants an application access, Trello gives the application a token that can be used to make API requests on behalf of that user.

user definedsecrettoken

Looks like

pattern
pattern

Trello API token in query-string or JSON body context; Atlassian does not document a fixed token prefix in the REST API guide

(?:token=|"token"\s*:\s*")[^\s&"}']{16,}
pattern

Trello token in the documented OAuth Authorization header format

oauth_token="[^"\r\n]{16,}"

Location

http header
Authorization

OAuth header using oauth_consumer_key and oauth_token

public interface
https://trello.com/1/authorize

authorization route used to grant an application a user token

config file

.env files, integration config, automation scripts, and local token caches

environment
TRELLO_TOKEN, TRELLO_API_TOKEN
secret store

CI/CD variables, cloud secret managers, and hosted automation settings

source code

scripts and examples containing key/token query parameters or JSON bodies

logs

HTTP request logs, webhook or automation debug output, and CI traces

Notes

API tokens grant access to a user's Trello data according to their scopes and expiration. Atlassian explicitly says API tokens should be kept secret.

02

API Key

atlassian-trello / api-key

Trello applications use an API key tied to a Power-Up to identify the application in the delegated authorization flow. Atlassian documents that the API key is intended to be publicly accessible and does not grant access to a user's Trello data by itself.

generated on installpublic by designAPI key

Looks like

pattern
pattern

Trello API key in query-string or JSON body context; pair with token context to determine whether a complete secret is present

(?:key=|"key"\s*:\s*")[A-Za-z0-9]{16,}
pattern

Trello API key in the documented OAuth Authorization header format

oauth_consumer_key="[A-Za-z0-9]{16,}"

Location

public interface
https://trello.com/power-ups/admin

Power-Up management page where API keys are generated

config file

application settings, .env files, deployment manifests, and docs examples

environment
TRELLO_KEY, TRELLO_API_KEY
source code

Trello integrations, browser clients, examples, and automation scripts

logs

request URLs and Authorization headers printed by API clients

Notes

The API key is not secret on its own, but it commonly appears next to a secret API token. Preserve that context when triaging findings.

03

OAuth 1.0 Application Secret

atlassian-trello / oauth-application-secret

Trello supports Basic OAuth 1.0 for API authorization. Atlassian documents that applications also need an application secret, listed on the Power-Up API Key tab, to sign OAuth requests.

generated on installsecretsecret value

Location

public interface
https://trello.com/power-ups/admin

Power-Up API Key tab where the application secret is listed

config file

OAuth client configuration, .env files, and server deployment manifests

environment
TRELLO_SECRET, TRELLO_APPLICATION_SECRET, TRELLO_OAUTH_SECRET
secret store

CI/CD variables, app hosting secrets, and cloud secret managers

source code

OAuth examples, backend integrations, and committed configuration

logs

OAuth signing debug logs and failed request traces

Notes

The application secret is separate from user API tokens. Exposure can let an attacker sign OAuth requests as the Trello application.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.