Braintree Access Token

Detects Braintree (PayPal) OAuth access tokens, which use a distinctive literal dollar-delimited structure: access_token$<environment>$<merchant-id>$<token>. A leaked token allows payment processing and transaction-history access on the connected merchant's behalf.

Type
regex
Engine
universal
Confidence
high
Confidence justification
High confidence: the literal "access_token$production$"/"access_token$sandbox$" lead-in is self-describing and essentially cannot occur by accident, and the $-delimited structure is confirmed by Braintree's own SDK source (CredentialsParser splits on $ and requires the access_token prefix). The segment lengths are deliberately bounded ranges rather than exact pins because the only exact-length evidence (16/32) is a single low-confidence community rule; the confidence rests on the literal prefix and structure, not on segment lengths.
Jurisdictions
global
Regulations
Criminal Code Act 1995 (Cth)
Frameworks
CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
Data categories
credentials, security
Scope
narrow
Risk rating
10
Platform compatibility
Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?<![A-Za-z0-9_])access_token\$(?:production|sandbox)\$[0-9a-z]{8,32}\$[0-9a-z]{16,64}(?![A-Za-z0-9_])

Corroborative evidence keywords

braintree, braintreepayments.com, BRAINTREE_ACCESS_TOKEN, merchant id, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host, [object Object] (+37 more)

Proximity: 300 characters

Should match

Should not match

Known false positives

References