lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Salesforce

Salesforcesaas4 credentials

Credentials4 documented
01

OAuth Access / Refresh Token

salesforce / oauth-access-refresh-token

Salesforce Connected Apps use OAuth flows to issue access tokens and, for supported flows, refresh tokens. Salesforce REST API requests authenticate with OAuth bearer tokens.

generated on installsecrettoken

Location

http header
Authorization

Bearer token used for Salesforce REST API requests

http response

OAuth token endpoint responses containing access_token and refresh_token

database

connected app token stores and integration credential tables

environment
SALESFORCE_ACCESS_TOKEN, SALESFORCE_REFRESH_TOKEN, SF_ACCESS_TOKEN
config file

integration config, local token caches, .env files, and deployment manifests

secret store

cloud secret managers, CI/CD variables, and integration platform secrets

logs

OAuth callback logs, API client traces, and failed login output

Notes

Token blast radius depends on Connected App policies, scopes, user profile, permission sets, and session controls.

02

Connected App Consumer Secret

salesforce / connected-app-consumer-secret

Salesforce Connected Apps created for API integration have a consumer key and consumer secret. The consumer secret authenticates confidential OAuth clients during token exchange.

generated on installsecretsecret value

Location

environment
SALESFORCE_CLIENT_ID, SALESFORCE_CLIENT_SECRET, SF_CLIENT_ID, SF_CLIENT_SECRET
config file

Connected App OAuth config, .env files, integration settings, and deployment manifests

secret store

cloud secret managers, CI/CD variables, and integration platform secrets

source code

OAuth examples, middleware config, tests, and accidentally committed settings

logs

token exchange request dumps and OAuth troubleshooting output

Notes

The consumer key identifies the Connected App; the consumer secret is confidential and can be used to impersonate the app in OAuth flows that require it.

03

Username / Password / Security Token

salesforce / username-password-security-token

Salesforce API integrations may use username-password OAuth or SOAP login patterns where a user's password is combined with a Salesforce security token. Salesforce documents user security tokens and OAuth username-password flows for API authentication.

user definedsecretusername/password

Location

environment
SALESFORCE_USERNAME, SALESFORCE_PASSWORD, SALESFORCE_SECURITY_TOKEN, SF_USERNAME, SF_PASSWORD, SF_SECURITY_TOKEN
config file

ETL connector config, middleware config, .env files, and deployment manifests

secret store

cloud secret managers, CI/CD variables, and iPaaS credential stores

source code

integration scripts, data loaders, tests, and accidentally committed credentials

logs

failed login traces, connector debug logs, and CI output

public interface
/services/oauth2/token

OAuth username-password token endpoint context

Notes

This is a user-defined credential flow, not a shipped default. The security token is an additional Salesforce user credential commonly concatenated to the password by legacy integrations.

04

JWT Bearer Private Key

salesforce / jwt-bearer-private-key

Salesforce Connected Apps can use JWT bearer flow with a certificate and private key to authenticate server-to-server integrations. The private key signs the JWT assertion submitted to Salesforce.

user definedsecretkey pair

Looks like

pattern
pattern

PEM private key used to sign Salesforce JWT bearer assertions

-----BEGIN (?:RSA |EC |)PRIVATE KEY-----

Location

config file

PEM files, keystores, integration config, .env files, and deployment manifests

environment
SALESFORCE_PRIVATE_KEY, SF_JWT_PRIVATE_KEY
secret store

cloud KMS, secret managers, CI/CD variables, and integration platform secrets

source code

JWT bearer examples, tests, and accidentally committed PEM files

logs

JWT assertion generation debug logs and CI traces

Notes

The uploaded certificate is public verification material; the private key is the credential that can mint signed assertions for the Connected App.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.