Cursor
AnysphereAI API3 credentials
Model Provider API Key
cursor / provider-api-key
Cursor supports user-supplied API keys for model providers and may store or reference them through editor settings, workspace files, environment variables, and OS secret storage.
Looks like
examplesk-proj-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXsk-ant-api03-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAIzaSyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY, GEMINI_API_KEY, GOOGLE_GENERATIVE_AI_API_KEY, AZURE_OPENAI_API_KEY, OPENROUTER_API_KEY~/.config/Cursor/User/settings.json, ~/.config/Cursor/User/globalStorage/state.vscdbCursor user settings and extension/global storage on Unix-like systems
%APPDATA%\Cursor\User\settings.json, %APPDATA%\Cursor\User\globalStorage\state.vscdbCursor user settings and extension/global storage on Windows
.cursor/mcp.json, .cursor/rules, .cursor/rules.json, .vscode/settings.json, .env, .env.local, .env.production, devcontainer.json, .devcontainer/devcontainer.jsonProject-local Cursor/MCP/rules/workspace files and environment files
Cursor/VS Code SecretStorage, OS keychain, password vaults, CI/CD variables, and cloud secret managers
MCP server config, custom tools, notebooks, scripts, examples, test fixtures, and committed agent settings
Cursor logs, extension host logs, MCP logs, terminal transcripts, request debug output, and crash reports
Notes
Cursor documentation describes custom API-key configuration, but no stable Cursor-specific provider-token prefix was found. Prefer provider-specific regexes and exact editor/workspace locations.
Cursor Account Token
cursor / cursor-account-token
Cursor account/session authentication state may be present in editor storage or OS secret storage.
Location
~/.config/Cursor/User/globalStorage/state.vscdb%APPDATA%\Cursor\User\globalStorage\state.vscdbOS keychain or VS Code-compatible SecretStorage used by Cursor account authentication
Cursor account/auth troubleshooting output and extension host logs
Notes
Account tokens are not known to have a stable public prefix; this entry relies on exact Cursor storage surfaces rather than value shape.
MCP Server Secret
cursor / mcp-server-secret
Cursor MCP server configuration can contain API keys, bearer tokens, or command environment variables for tools used by the editor agent.
Location
.cursor/mcp.json, mcp.json, .vscode/mcp.json, .env, .env.localGITHUB_TOKEN, GH_TOKEN, OPENAI_API_KEY, ANTHROPIC_API_KEYPassword vaults, OS keychain, and CI/developer-environment secret stores referenced by MCP servers
MCP server command definitions, wrapper scripts, and agent tool configs
MCP server stdout/stderr, Cursor logs, and terminal transcripts
Notes
MCP secrets vary by server; only exact common env vars with strong provider patterns are included.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.