lolcreds

Public credential defaults and exposure patterns for authorized security testing.

HubSpot

HubSpotsaas3 credentials

Credentials3 documented
01

Private App Access Token

hubspot / private-app-access-token

HubSpot private apps use an access token to make API calls to the account where the private app is installed. HubSpot documents setting the Authorization header to Bearer [YOUR_TOKEN].

generated on installsecrettoken

Location

environment
HUBSPOT_ACCESS_TOKEN, HUBSPOT_PRIVATE_APP_TOKEN, HUBAPI_TOKEN
http header
Authorization

Bearer token used for HubSpot API requests

config file

.env files, integration config, workflow automation settings, and deployment manifests

secret store

CI/CD variables, cloud secret managers, hosted app secrets, and platform config vars

source code

CRM integrations, examples, tests, and accidentally committed automation scripts

logs

API client traces, webhook handler logs, and CI output

Notes

Private app tokens inherit the scopes selected for the private app and are tied to a single HubSpot account.

02

OAuth Access / Refresh Token

hubspot / oauth-access-refresh-token

HubSpot public apps use OAuth authorization tokens rather than passwords. HubSpot documents OAuth installation with client ID and client secret, and apps exchange authorization grants for access and refresh tokens.

generated on installsecrettoken

Location

http header
Authorization

Bearer access token for HubSpot API calls

http response

OAuth token endpoint responses containing access_token and refresh_token

database

public app installation token stores by portal/account

environment
HUBSPOT_ACCESS_TOKEN, HUBSPOT_REFRESH_TOKEN
config file

OAuth example config, local token caches, and integration settings

secret store

encrypted app token stores and cloud secret managers

logs

OAuth callback logs and token exchange debug output

Notes

OAuth token blast radius depends on installed scopes and the HubSpot account where the app was authorized.

03

OAuth Client Secret

hubspot / oauth-client-secret

HubSpot OAuth apps use a client ID and client secret to build the authorization URL and complete OAuth token exchange. HubSpot documents using the client secret when setting up OAuth authentication.

generated on installsecretsecret value

Location

environment
HUBSPOT_CLIENT_ID, HUBSPOT_CLIENT_SECRET
config file

OAuth backend config, app settings, .env files, and deployment manifests

secret store

cloud secret managers, CI/CD variables, and hosted app secrets

source code

OAuth handlers, examples, tests, and committed app config

logs

token exchange request dumps and OAuth troubleshooting output

Notes

Client secret exposure can allow impersonation of the HubSpot public app in OAuth token exchange flows.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.