lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Miro

Mirosaas3 credentials

Credentials3 documented
01

OAuth Access Token

miro / oauth-access-token

Miro apps use OAuth 2.0 access tokens to call the Miro REST API on behalf of a user. Miro documents the access token in token endpoint responses and requires API requests to send it in the Authorization header as Bearer {ACCESS_TOKEN}.

generated on installsecrettoken

Looks like

pattern
pattern

Miro OAuth examples show JWT-like access_token values; identify the credential by OAuth token response or Bearer header context because Miro does not document a fixed Miro-specific prefix

eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+

Location

http header
Authorization

Bearer token used for Miro REST API requests

http response

OAuth token endpoint responses containing access_token

database

application token stores linked to Miro users and teams

config file

local OAuth examples, .env files, and app runtime configuration

secret store

production app secret stores, CI/CD variables, and cloud secret managers

logs

OAuth callback logs, REST client debug traces, and token exchange errors

Notes

Miro access tokens are short lived; the documented default validity is 60 minutes. A leaked token has the scopes and user/team reach granted to the app installation.

02

OAuth Refresh Token

miro / oauth-refresh-token

Miro OAuth token responses include refresh tokens. Miro documents that the refresh token remains valid after the access token expires and is used with the app client secret to request a new access token.

generated on installsecrettoken

Looks like

pattern
pattern

Miro OAuth examples show JWT-like refresh_token values; identify the credential by token endpoint storage context because no fixed Miro-specific prefix is documented

eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+

Location

http response

OAuth token endpoint responses containing refresh_token

database

application token stores used to renew Miro access tokens

config file

local OAuth samples, development .env files, and serialized token caches

secret store

application secret stores and encrypted configuration backends

logs

OAuth exchange logs and application debug output

Notes

Miro documents a 60-day refresh-token validity by default. Treat leaked refresh tokens as durable delegated access until revoked or expired.

03

OAuth Client Secret

miro / oauth-client-secret

Each Miro developer app has a client ID and client secret. Miro documents that both values are needed when exchanging authorization codes for tokens and when requesting refresh tokens.

generated on installsecretsecret value

Location

config file

OAuth server configuration, .env files, deployment manifests, and SDK examples

environment
MIRO_CLIENT_SECRET, MIRO_CLIENT_ID
secret store

cloud secret managers, hosted app settings, and CI/CD variables

source code

accidentally committed OAuth examples, test fixtures, and deployment scripts

logs

token exchange request dumps and failed OAuth troubleshooting output

Notes

The client ID identifies the app, while the client secret authenticates the app during server-side OAuth token exchange. Client secret exposure can let an attacker impersonate the app in OAuth flows.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.