lolcreds

Public credential defaults and exposure patterns for authorized security testing.

OpenCode

SSTAI API3 credentials

Credentials3 documented
01

Provider API Key

opencode / provider-api-key

OpenCode can authenticate to model providers through provider environment variables, explicit provider config, or auth login storage.

user definedsecretAPI key

Looks like

example
example

OpenAI project/service-account key used by OpenCode providers

sk-proj-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
example

Anthropic API key used by OpenCode providers

sk-ant-api03-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
example

GitHub token used by OpenCode GitHub workflows or tools

ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

environment
OPENAI_API_KEY, ANTHROPIC_API_KEY, AZURE_OPENAI_API_KEY, GOOGLE_GENERATIVE_AI_API_KEY, GROQ_API_KEY, XAI_API_KEY, OPENROUTER_API_KEY, GITHUB_TOKEN, GH_TOKEN
config file
~/.local/share/opencode/auth.json, ~/.config/opencode/opencode.json, ~/.config/opencode/opencode.jsonc, ~/.config/opencode/tui.json

Official OpenCode auth and global config files on Unix-like systems

config file
opencode.json, opencode.jsonc, .opencode/opencode.json, .opencode/opencode.jsonc, .env, .env.local, .env.production

Project-local OpenCode config and environment files

secret store

GitHub Actions secrets, GitLab CI variables, cloud secret managers, Docker secrets, Kubernetes Secrets, and password vaults

source code

OpenCode tool/plugin files, custom agents, workflow examples, tests, scripts, and committed provider config

logs

OpenCode logs, CI traces, shell history, debug output, provider request traces, and terminal transcripts

Notes

Provider key names are provider-owned and are included because official OpenCode docs/source show OpenCode consuming them directly or through provider config.

02

OpenCode Auth JSON

opencode / auth-json

OpenCode stores API keys and OAuth tokens configured by opencode auth login or /connect in auth.json.

user definedgenerated on installsecretsecret value

Location

config file
~/.local/share/opencode/auth.json

Official OpenCode auth storage path documented for macOS/Linux and WSL

environment
OPENCODE_AUTH_JSON

OpenCode GitLab integration variable carrying the auth JSON content

secret store

CI/CD variables and deployment secrets containing OPENCODE_AUTH_JSON or provider keys

source code

Workflow snippets that materialize auth.json for OpenCode automation

logs

CI traces and setup logs that print auth JSON or provider keys

Notes

OPENCODE_AUTH_JSON is documented for GitLab integration as serialized OpenCode authentication JSON, not a conventional provider token.

03

MCP OAuth Token

opencode / mcp-oauth-token

OpenCode MCP authorization stores OAuth tokens for remote MCP servers.

generated on installuser definedsecrettoken

Location

config file
~/.local/share/opencode/mcp-auth.json

Official OpenCode MCP auth token storage path on Unix-like systems

secret store

Password vaults, CI variables, and secret managers used to move MCP authorization state between environments

source code

MCP server configuration examples and setup scripts

logs

MCP auth debug logs and OAuth callback traces

Notes

No stable OpenCode-specific token prefix was found; detect this surface by exact file path and OAuth field context.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.