Datadog
Datadogmonitoring3 credentials
API Key
datadog / api-key
Datadog API keys are unique to an organization and are required by the Datadog Agent to submit metrics and events. Datadog API requests use the API key alongside an application key for many programmatic operations.
Looks like
exampleXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
DD_API_KEY, DATADOG_API_KEYDD-API-KEYDatadog API key header
datadog.yaml, Agent Helm values, Terraform variables, .env files, and CI manifests
Kubernetes Secrets, CI/CD variables, cloud secret managers, and container secrets
infrastructure-as-code, deployment scripts, examples, and committed configs
Agent startup logs, API client traces, Terraform output, and CI logs
Notes
API keys identify the Datadog organization for ingestion. Rotate keys found outside intended Agent or service configuration.
Application Key
datadog / application-key
Datadog application keys, used with an organization's API key, give users access to Datadog's programmatic API. Datadog documents that application keys are associated with the user account that created them and inherit that user's permissions by default.
Looks like
exampleXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
DD_APP_KEY, DD_APPLICATION_KEY, DATADOG_APP_KEY, DATADOG_APPLICATION_KEYDD-APPLICATION-KEYDatadog application key header for API operations
Terraform provider config, automation .env files, and deployment manifests
CI/CD variables, cloud secret managers, and secrets mounted into automation jobs
monitoring automation, scripts, IaC modules, and committed examples
API client debug logs, Terraform traces, and CI output
Notes
One-Time Read mode can make application key secrets visible only at creation time. A leaked application key usually carries the permissions of the user who created it.
Client Token
datadog / client-token
Datadog client tokens are used by browser and mobile client SDKs for products such as RUM and logs. Datadog documents API keys, application keys, and client tokens together for browser application security.
Location
frontend SDK config, mobile app config, .env files, and build-time settings
DD_CLIENT_TOKEN, DATADOG_CLIENT_TOKENbrowser bundles, mobile applications, committed SDK initialization snippets
client SDK startup logs and build output
Notes
Client tokens are intended for client-side telemetry submission, but they identify the Datadog intake target and can be abused to send unwanted telemetry if exposed outside expected apps.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.