lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Cursor

AnysphereAI API3 credentials

Credentials3 documented
01

Model Provider API Key

cursor / provider-api-key

Cursor supports user-supplied API keys for model providers and may store or reference them through editor settings, workspace files, environment variables, and OS secret storage.

user definedsecretAPI key

Looks like

example
example

OpenAI project/service-account API key used as a Cursor custom provider key

sk-proj-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
example

Anthropic API key used as a Cursor custom provider key

sk-ant-api03-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
example

Google API key used by Gemini integrations

AIzaSyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY, GEMINI_API_KEY, GOOGLE_GENERATIVE_AI_API_KEY, AZURE_OPENAI_API_KEY, OPENROUTER_API_KEY
config file
~/.config/Cursor/User/settings.json, ~/.config/Cursor/User/globalStorage/state.vscdb

Cursor user settings and extension/global storage on Unix-like systems

config file
%APPDATA%\Cursor\User\settings.json, %APPDATA%\Cursor\User\globalStorage\state.vscdb

Cursor user settings and extension/global storage on Windows

config file
.cursor/mcp.json, .cursor/rules, .cursor/rules.json, .vscode/settings.json, .env, .env.local, .env.production, devcontainer.json, .devcontainer/devcontainer.json

Project-local Cursor/MCP/rules/workspace files and environment files

secret store

Cursor/VS Code SecretStorage, OS keychain, password vaults, CI/CD variables, and cloud secret managers

source code

MCP server config, custom tools, notebooks, scripts, examples, test fixtures, and committed agent settings

logs

Cursor logs, extension host logs, MCP logs, terminal transcripts, request debug output, and crash reports

Notes

Cursor documentation describes custom API-key configuration, but no stable Cursor-specific provider-token prefix was found. Prefer provider-specific regexes and exact editor/workspace locations.

02

Cursor Account Token

cursor / cursor-account-token

Cursor account/session authentication state may be present in editor storage or OS secret storage.

generated on installgenerated on installsecrettoken

Location

config file
~/.config/Cursor/User/globalStorage/state.vscdb
config file
%APPDATA%\Cursor\User\globalStorage\state.vscdb
secret store

OS keychain or VS Code-compatible SecretStorage used by Cursor account authentication

logs

Cursor account/auth troubleshooting output and extension host logs

Notes

Account tokens are not known to have a stable public prefix; this entry relies on exact Cursor storage surfaces rather than value shape.

03

MCP Server Secret

cursor / mcp-server-secret

Cursor MCP server configuration can contain API keys, bearer tokens, or command environment variables for tools used by the editor agent.

user definedsecretsecret value

Location

config file
.cursor/mcp.json, mcp.json, .vscode/mcp.json, .env, .env.local
environment
GITHUB_TOKEN, GH_TOKEN, OPENAI_API_KEY, ANTHROPIC_API_KEY
secret store

Password vaults, OS keychain, and CI/developer-environment secret stores referenced by MCP servers

source code

MCP server command definitions, wrapper scripts, and agent tool configs

logs

MCP server stdout/stderr, Cursor logs, and terminal transcripts

Notes

MCP secrets vary by server; only exact common env vars with strong provider patterns are included.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.