Atlassian Trello
Atlassiansaas3 credentials
API Token
atlassian-trello / api-token
Trello's REST API uses token-based authentication. Atlassian documents that after a user grants an application access, Trello gives the application a token that can be used to make API requests on behalf of that user.
Looks like
pattern(?:token=|"token"\s*:\s*")[^\s&"}']{16,}oauth_token="[^"\r\n]{16,}"Location
AuthorizationOAuth header using oauth_consumer_key and oauth_token
https://trello.com/1/authorizeauthorization route used to grant an application a user token
.env files, integration config, automation scripts, and local token caches
TRELLO_TOKEN, TRELLO_API_TOKENCI/CD variables, cloud secret managers, and hosted automation settings
scripts and examples containing key/token query parameters or JSON bodies
HTTP request logs, webhook or automation debug output, and CI traces
Notes
API tokens grant access to a user's Trello data according to their scopes and expiration. Atlassian explicitly says API tokens should be kept secret.
API Key
atlassian-trello / api-key
Trello applications use an API key tied to a Power-Up to identify the application in the delegated authorization flow. Atlassian documents that the API key is intended to be publicly accessible and does not grant access to a user's Trello data by itself.
Looks like
pattern(?:key=|"key"\s*:\s*")[A-Za-z0-9]{16,}oauth_consumer_key="[A-Za-z0-9]{16,}"Location
https://trello.com/power-ups/adminPower-Up management page where API keys are generated
application settings, .env files, deployment manifests, and docs examples
TRELLO_KEY, TRELLO_API_KEYTrello integrations, browser clients, examples, and automation scripts
request URLs and Authorization headers printed by API clients
Notes
The API key is not secret on its own, but it commonly appears next to a secret API token. Preserve that context when triaging findings.
OAuth 1.0 Application Secret
atlassian-trello / oauth-application-secret
Trello supports Basic OAuth 1.0 for API authorization. Atlassian documents that applications also need an application secret, listed on the Power-Up API Key tab, to sign OAuth requests.
Location
https://trello.com/power-ups/adminPower-Up API Key tab where the application secret is listed
OAuth client configuration, .env files, and server deployment manifests
TRELLO_SECRET, TRELLO_APPLICATION_SECRET, TRELLO_OAUTH_SECRETCI/CD variables, app hosting secrets, and cloud secret managers
OAuth examples, backend integrations, and committed configuration
OAuth signing debug logs and failed request traces
Notes
The application secret is separate from user API tokens. Exposure can let an attacker sign OAuth requests as the Trello application.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.