lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Contentful

Contentfulsaas3 credentials

Credentials3 documented
01

Content Delivery / Preview API Token

contentful / delivery-preview-api-token

Contentful Content Delivery and Preview APIs use access tokens generated from API keys in the Contentful web app. Contentful documents sending the token as access_token query parameter or, preferably, Authorization: Bearer.

generated on installsecrettoken

Location

http header
Authorization

Bearer token used for Contentful API requests

public interface
access_token

query parameter form accepted by Contentful APIs

environment
CONTENTFUL_ACCESS_TOKEN, CONTENTFUL_DELIVERY_TOKEN, CONTENTFUL_PREVIEW_TOKEN
config file

site generator config, CMS integration config, .env files, and deployment manifests

secret store

CI/CD variables, hosting platform secrets, and cloud secret managers

source code

frontend builds, static-site config, examples, and committed CMS clients

logs

build logs, API client traces, and failed preview requests

Notes

Delivery tokens are often used in builds and runtimes; Preview tokens can expose draft content and should be treated as more sensitive.

02

Content Management Personal Access Token

contentful / management-api-pat

Contentful Content Management API access can use a personal access token. Contentful documents getting a personal access token and authenticating API requests with Bearer tokens.

user definedsecrettoken

Location

http header
Authorization

Bearer token used for Content Management API calls

environment
CONTENTFUL_MANAGEMENT_TOKEN, CONTENTFUL_CMA_TOKEN, CONTENTFUL_PAT
config file

migration tooling config, .env files, deployment manifests, and CMS automation settings

secret store

CI/CD variables, cloud secret managers, and release automation secrets

source code

migration scripts, seed scripts, tests, and committed management clients

logs

content migration logs, API traces, and CI output

Notes

Management tokens can create, update, and delete Contentful resources according to the user's permissions and selected spaces.

03

OAuth Access Token

contentful / oauth-token

Contentful supports OAuth tokens for applications. Contentful documents OAuth tokens as another way to authenticate API calls using the same Bearer header mechanism.

generated on installsecrettoken

Location

http header
Authorization

Bearer OAuth access token

http response

OAuth token endpoint responses

database

integration OAuth installation token stores

config file

local OAuth examples and application config

secret store

encrypted app token stores and cloud secret managers

logs

OAuth callback and token exchange logs

Notes

OAuth token permissions depend on the authorized user, organization, spaces, and scopes granted to the app.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.