Miro
Mirosaas3 credentials
OAuth Access Token
miro / oauth-access-token
Miro apps use OAuth 2.0 access tokens to call the Miro REST API on behalf of a user. Miro documents the access token in token endpoint responses and requires API requests to send it in the Authorization header as Bearer {ACCESS_TOKEN}.
Looks like
patterneyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+Location
AuthorizationBearer token used for Miro REST API requests
OAuth token endpoint responses containing access_token
application token stores linked to Miro users and teams
local OAuth examples, .env files, and app runtime configuration
production app secret stores, CI/CD variables, and cloud secret managers
OAuth callback logs, REST client debug traces, and token exchange errors
Notes
Miro access tokens are short lived; the documented default validity is 60 minutes. A leaked token has the scopes and user/team reach granted to the app installation.
OAuth Refresh Token
miro / oauth-refresh-token
Miro OAuth token responses include refresh tokens. Miro documents that the refresh token remains valid after the access token expires and is used with the app client secret to request a new access token.
Looks like
patterneyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+Location
OAuth token endpoint responses containing refresh_token
application token stores used to renew Miro access tokens
local OAuth samples, development .env files, and serialized token caches
application secret stores and encrypted configuration backends
OAuth exchange logs and application debug output
Notes
Miro documents a 60-day refresh-token validity by default. Treat leaked refresh tokens as durable delegated access until revoked or expired.
OAuth Client Secret
miro / oauth-client-secret
Each Miro developer app has a client ID and client secret. Miro documents that both values are needed when exchanging authorization codes for tokens and when requesting refresh tokens.
Location
OAuth server configuration, .env files, deployment manifests, and SDK examples
MIRO_CLIENT_SECRET, MIRO_CLIENT_IDcloud secret managers, hosted app settings, and CI/CD variables
accidentally committed OAuth examples, test fixtures, and deployment scripts
token exchange request dumps and failed OAuth troubleshooting output
Notes
The client ID identifies the app, while the client secret authenticates the app during server-side OAuth token exchange. Client secret exposure can let an attacker impersonate the app in OAuth flows.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.