Auth0 Token
Detects Auth0 client secrets. Auth0 issues an unprefixed 64-character base64url-style client secret, indistinguishable from other long random strings, so this pattern requires an adjacent Auth0 label plus an assignment separator to structurally qualify a match. A leaked client secret lets an attacker mint tokens as the application and impersonate it against every API it is authorized for.
- Type
- regex
- Engine
- universal
- Confidence
- medium
- Confidence justification
- Medium confidence: Auth0's own documentation does not publish the client secret's visible format. TruffleHog's production detector pins a 64-plus-character [a-zA-Z0-9_-] body paired with Auth0 context, and Kingfisher's production rule independently pins the same label-gated 64-plus-character body -- converging secret-scanning-ecosystem evidence, but for an unprefixed opaque string. Without an adjacent Auth0 label the value is indistinguishable from any other 64-character token, so this pattern requires the labelled assignment and offers no value-only tier. Auth0 is not a GitHub secret-scanning partner and gitleaks has no Auth0 rule, consistent with the format's inherent ambiguity.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?i)auth0[\s\S]{0,40}?[=:][\s"']{0,4}(?<![A-Za-z0-9_-])[A-Za-z0-9_-]{64,100}(?![A-Za-z0-9_-])
Corroborative evidence keywords
auth0, auth0.com, AUTH0_CLIENT_SECRET, client secret, client_secret, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host (+38 more)
Proximity: 300 characters
Should match
AUTH0_CLIENT_SECRET=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789AB— Auth0 client secret in the canonical env var (label + assignment + 64-char body)auth0 client secret: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-— Auth0 label with colon separator and a 64-char base64url-charset bodyauth0_secret="zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA9876543210_-"— Quoted Auth0 secret in a config assignment
Should not match
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789AB with no vendor context— Bare 64-char value with no Auth0 label anywhere (could be any hash or token)AUTH0_CLIENT_ID=abcdefghijklmnopqrstuvwxyz012345— Auth0 client ID (32-char public identifier, not a secret; below the 64-char floor)auth0 secret too short: ABCDEFGHIJKLMNOP0123— Auth0 label present but value far too short (20 chars, not 64)rotate the auth0 client secret in the application settings— Prose mention without a token valuetemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- A 64-character hash (for example a SHA-256 hex digest) or unrelated token appearing in a labelled assignment near the word "auth0" in configuration or logs. Mitigation: The regex requires label adjacency plus an assignment separator and never fires value-only; corroborative keywords and placeholder checks add further gating.
- Auth0 Management API access tokens are JWTs (eyJ...) with no Auth0-specific visible marker and are not matched by this pattern. Mitigation: Documented as a deliberate scope decision; generic JWT detection covers that shape, and pairing it with Auth0 tenant domains is left to log-analysis tooling.
- Documentation or examples showing placeholder AUTH0_CLIENT_SECRET values. Mitigation: Check for placeholder markers (example, xxxx, 0000) and documentation file types to reduce false positives.