lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Datadog

Datadogmonitoring3 credentials

Credentials3 documented
01

API Key

datadog / api-key

Datadog API keys are unique to an organization and are required by the Datadog Agent to submit metrics and events. Datadog API requests use the API key alongside an application key for many programmatic operations.

generated on installsecretAPI key

Looks like

example
example

Datadog API keys are commonly represented as 32-character hexadecimal strings

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
DD_API_KEY, DATADOG_API_KEY
http header
DD-API-KEY

Datadog API key header

config file

datadog.yaml, Agent Helm values, Terraform variables, .env files, and CI manifests

secret store

Kubernetes Secrets, CI/CD variables, cloud secret managers, and container secrets

source code

infrastructure-as-code, deployment scripts, examples, and committed configs

logs

Agent startup logs, API client traces, Terraform output, and CI logs

Notes

API keys identify the Datadog organization for ingestion. Rotate keys found outside intended Agent or service configuration.

02

Application Key

datadog / application-key

Datadog application keys, used with an organization's API key, give users access to Datadog's programmatic API. Datadog documents that application keys are associated with the user account that created them and inherit that user's permissions by default.

user definedsecretAPI key

Looks like

example
example

Datadog application keys are commonly represented as 40-character hexadecimal strings

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
DD_APP_KEY, DD_APPLICATION_KEY, DATADOG_APP_KEY, DATADOG_APPLICATION_KEY
http header
DD-APPLICATION-KEY

Datadog application key header for API operations

config file

Terraform provider config, automation .env files, and deployment manifests

secret store

CI/CD variables, cloud secret managers, and secrets mounted into automation jobs

source code

monitoring automation, scripts, IaC modules, and committed examples

logs

API client debug logs, Terraform traces, and CI output

Notes

One-Time Read mode can make application key secrets visible only at creation time. A leaked application key usually carries the permissions of the user who created it.

03

Client Token

datadog / client-token

Datadog client tokens are used by browser and mobile client SDKs for products such as RUM and logs. Datadog documents API keys, application keys, and client tokens together for browser application security.

generated on installcontext dependenttoken

Location

config file

frontend SDK config, mobile app config, .env files, and build-time settings

environment
DD_CLIENT_TOKEN, DATADOG_CLIENT_TOKEN
source code

browser bundles, mobile applications, committed SDK initialization snippets

logs

client SDK startup logs and build output

Notes

Client tokens are intended for client-side telemetry submission, but they identify the Datadog intake target and can be abused to send unwanted telemetry if exposed outside expected apps.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.