lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Mailgun

Mailgunsaas3 credentials

Credentials3 documented
01

API Key

mailgun / api-key

Mailgun APIs use Basic authentication for API requests. Mailgun endpoint references mark requests with basicAuth, where the API key is used with the api username for authenticated calls.

generated on installsecretAPI key

Looks like

example
example

Mailgun private API key prefix commonly used in Mailgun API examples

key-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
MAILGUN_API_KEY, MG_API_KEY
http header
Authorization

Basic authentication using api as username and API key as password

config file

.env files, email service config, deployment manifests, and SDK config

secret store

cloud secret managers, CI/CD variables, and platform app secrets

source code

mail sending scripts, SDK examples, tests, and committed config

logs

HTTP client traces, failed send logs, and CI output

Notes

API key blast radius depends on whether the key is account-wide or scoped for a sending domain or service function.

02

SMTP Credentials

mailgun / smtp-credentials

Mailgun domains can be used through SMTP as well as HTTP APIs. SMTP credentials authenticate mail submission for a domain and are typically stored by mail clients, applications, and delivery workers.

generated on installsecretusername/password

Looks like

pattern
pattern

Mailgun SMTP host context; username and password values are stored in nearby mail configuration

smtp(?:\.mailgun\.org|-[a-z]+\.mailgun\.org)

Location

environment
MAILGUN_SMTP_LOGIN, MAILGUN_SMTP_PASSWORD, SMTP_USERNAME, SMTP_PASSWORD
config file

SMTP client config, .env files, application mailer settings, and deployment manifests

secret store

mailer service secrets, CI/CD variables, and platform config vars

source code

mailer examples, tests, and accidentally committed credentials

logs

SMTP debug logs and failed authentication traces

Notes

SMTP credentials can send email through the associated Mailgun domain and should be rotated when found in code or logs.

03

Webhook Signing Key

mailgun / webhook-signing-key

Mailgun webhooks include signature data that applications can verify using the account's HTTP webhook signing key. The signing key is a shared secret used to validate webhook authenticity.

generated on installsecretsecret value

Location

environment
MAILGUN_WEBHOOK_SIGNING_KEY, MAILGUN_SIGNING_KEY
config file

webhook handler config, .env files, and deployment manifests

secret store

cloud secret managers, CI/CD variables, and platform app secrets

source code

webhook verification code, tests, and committed local config

logs

webhook verification debug logs and request traces

Notes

Webhook signing key exposure can let an attacker forge Mailgun webhook events accepted by applications that trust signature verification.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.