Auth0 Token

Detects Auth0 client secrets. Auth0 issues an unprefixed 64-character base64url-style client secret, indistinguishable from other long random strings, so this pattern requires an adjacent Auth0 label plus an assignment separator to structurally qualify a match. A leaked client secret lets an attacker mint tokens as the application and impersonate it against every API it is authorized for.

Type
regex
Engine
universal
Confidence
medium
Confidence justification
Medium confidence: Auth0's own documentation does not publish the client secret's visible format. TruffleHog's production detector pins a 64-plus-character [a-zA-Z0-9_-] body paired with Auth0 context, and Kingfisher's production rule independently pins the same label-gated 64-plus-character body -- converging secret-scanning-ecosystem evidence, but for an unprefixed opaque string. Without an adjacent Auth0 label the value is indistinguishable from any other 64-character token, so this pattern requires the labelled assignment and offers no value-only tier. Auth0 is not a GitHub secret-scanning partner and gitleaks has no Auth0 rule, consistent with the format's inherent ambiguity.
Jurisdictions
global
Regulations
Criminal Code Act 1995 (Cth)
Frameworks
CIS Controls, ISO 27001, NIST CSF, SOC 2
Data categories
credentials, security
Scope
narrow
Risk rating
9
Platform compatibility
Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?i)auth0[\s\S]{0,40}?[=:][\s"']{0,4}(?<![A-Za-z0-9_-])[A-Za-z0-9_-]{64,100}(?![A-Za-z0-9_-])

Corroborative evidence keywords

auth0, auth0.com, AUTH0_CLIENT_SECRET, client secret, client_secret, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host (+38 more)

Proximity: 300 characters

Should match

Should not match

Known false positives

References