Mailgun
Mailgunsaas3 credentials
API Key
mailgun / api-key
Mailgun APIs use Basic authentication for API requests. Mailgun endpoint references mark requests with basicAuth, where the API key is used with the api username for authenticated calls.
Looks like
examplekey-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
MAILGUN_API_KEY, MG_API_KEYAuthorizationBasic authentication using api as username and API key as password
.env files, email service config, deployment manifests, and SDK config
cloud secret managers, CI/CD variables, and platform app secrets
mail sending scripts, SDK examples, tests, and committed config
HTTP client traces, failed send logs, and CI output
Notes
API key blast radius depends on whether the key is account-wide or scoped for a sending domain or service function.
SMTP Credentials
mailgun / smtp-credentials
Mailgun domains can be used through SMTP as well as HTTP APIs. SMTP credentials authenticate mail submission for a domain and are typically stored by mail clients, applications, and delivery workers.
Looks like
patternsmtp(?:\.mailgun\.org|-[a-z]+\.mailgun\.org)Location
MAILGUN_SMTP_LOGIN, MAILGUN_SMTP_PASSWORD, SMTP_USERNAME, SMTP_PASSWORDSMTP client config, .env files, application mailer settings, and deployment manifests
mailer service secrets, CI/CD variables, and platform config vars
mailer examples, tests, and accidentally committed credentials
SMTP debug logs and failed authentication traces
Notes
SMTP credentials can send email through the associated Mailgun domain and should be rotated when found in code or logs.
Webhook Signing Key
mailgun / webhook-signing-key
Mailgun webhooks include signature data that applications can verify using the account's HTTP webhook signing key. The signing key is a shared secret used to validate webhook authenticity.
Location
MAILGUN_WEBHOOK_SIGNING_KEY, MAILGUN_SIGNING_KEYwebhook handler config, .env files, and deployment manifests
cloud secret managers, CI/CD variables, and platform app secrets
webhook verification code, tests, and committed local config
webhook verification debug logs and request traces
Notes
Webhook signing key exposure can let an attacker forge Mailgun webhook events accepted by applications that trust signature verification.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.