Auth0
Auth0identity4 credentials
Management API Access Token
auth0 / management-api-access-token
Auth0 Management API access tokens authorize calls to the Auth0 Management API. Auth0 documents these as access tokens and discusses rotating or revoking tokens according to their token type.
Looks like
patterneyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+Location
AUTH0_MANAGEMENT_API_TOKEN, AUTH0_TOKENAuthorizationBearer token used for Auth0 Management API calls
OAuth token endpoint responses containing access_token
automation .env files, deployment config, Terraform variables, and SDK config
CI/CD variables, cloud secret managers, and identity automation secrets
token exchange logs, Management API client traces, and CI output
Notes
Management API token blast radius is controlled by requested audience, scopes, and lifetime. Store short-lived tokens only where needed.
Application Client Secret
auth0 / application-client-secret
Auth0 applications have client credentials in their application settings. Auth0 documents client secret rotation and notes that client secrets are used by confidential applications and token flows.
Location
AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRETapplication settings, .env files, backend auth config, and deployment manifests
cloud secret managers, CI/CD variables, and platform app secrets
OAuth examples, tests, Terraform config, and accidentally committed app config
OAuth token request dumps, failed login traces, and CI output
Notes
The client ID identifies the application; the client secret is confidential and can allow impersonation of the application in supported OAuth flows.
Private Key JWT Signing Key
auth0 / private-key-jwt-signing-key
Auth0 applications can use private_key_jwt-style authentication for advanced OAuth flows. Auth0 documents private key JWT authentication and JSON Web Key Sets for verifying JWTs signed by Auth0.
Looks like
pattern-----BEGIN (?:RSA |EC |)PRIVATE KEY-----Location
PEM files, JWKS generation inputs, backend auth config, and deployment manifests
AUTH0_PRIVATE_KEY, AUTH0_CLIENT_ASSERTION_PRIVATE_KEYcloud KMS, secret managers, CI/CD variables, and platform app secrets
test keys, OAuth client examples, and accidentally committed PEM files
Notes
Public JWKS keys verify tokens, but the private signing key is a secret credential and should stay in a server-side key store.
Refresh Token
auth0 / refresh-token
Auth0 refresh tokens can be revoked through the Dashboard, Authentication API, or Management API. Auth0 documents refresh token rotation and expiration settings for applications.
Location
OAuth token responses containing refresh_token
application token stores and session stores
development token caches and local OAuth test config
encrypted app secret stores and secure session storage
OAuth callback logs and token endpoint debug output
Notes
Refresh token exposure can extend access beyond an access token's lifetime until rotation, revocation, reuse detection, or expiration stops it.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.