Braintree Access Token
Detects Braintree (PayPal) OAuth access tokens, which use a distinctive literal dollar-delimited structure: access_token$<environment>$<merchant-id>$<token>. A leaked token allows payment processing and transaction-history access on the connected merchant's behalf.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the literal "access_token$production$"/"access_token$sandbox$" lead-in is self-describing and essentially cannot occur by accident, and the $-delimited structure is confirmed by Braintree's own SDK source (CredentialsParser splits on $ and requires the access_token prefix). The segment lengths are deliberately bounded ranges rather than exact pins because the only exact-length evidence (16/32) is a single low-confidence community rule; the confidence rests on the literal prefix and structure, not on segment lengths.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 10
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9_])access_token\$(?:production|sandbox)\$[0-9a-z]{8,32}\$[0-9a-z]{16,64}(?![A-Za-z0-9_])
Corroborative evidence keywords
braintree, braintreepayments.com, BRAINTREE_ACCESS_TOKEN, merchant id, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host, [object Object] (+37 more)
Proximity: 300 characters
Should match
access_token$production$abcdefghij012345$0123456789abcdefghijklmnopqrstuv— Braintree production OAuth access token (16-char merchant id + 32-char token)access_token$sandbox$0123456789abcdef$abcdefghijklmnopqrstuv0123456789— Braintree sandbox OAuth access tokenBRAINTREE_ACCESS_TOKEN=access_token$production$zyxwvutsrq543210$zyxwvutsrqponmlkjihgfedcba543210— Labelled Braintree access token in an env assignment
Should not match
access_token$staging$abcdefghij012345$0123456789abcdefghijklmnopqrstuv— Invalid environment segment (staging is not a Braintree environment)access_token$production$abcdefghij012345$0123456789abcde— Token segment too short (15 chars, below the 16-char floor)access_token$production$abcdefg$0123456789abcdefghijklmnopqrstuv— Merchant-id segment too short (7 chars, below the 8-char floor)client_id$production$abcdefghij012345— Braintree client_id credential (different $-structure, segment shapes unverified, deliberately out of scope)rotate the braintree access token and private key— Prose mention without a token valuetemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- Documentation or examples showing placeholder access_token$production$ strings. Mitigation: Require corroborative Braintree keywords and check for placeholder markers (example, xxxx).
- Braintree legacy gateway credentials (merchant ID, public key, private key) are unprefixed opaque strings (GitGuardian lists them as non-prefixed) and are not matched by this pattern; nor are the client_id$/client_secret$ OAuth app credentials, whose segment shapes are not published. Mitigation: Documented as a known scope limitation; only the structure-verified access_token$ form is matched.
References
- Braintree's own SDK credential parser (access_token prefix, $-delimited environment and merchant-id segments)
- Semgrep secrets registry rule (access_token\$production\$[0-9a-z]{16}\$[0-9a-z]{32}; self-declared LOW confidence, traces to the legacy truffleHogRegexes list)
- TruffleHog production Braintree detector (targets the legacy credential pair: 16-char lowercase alnum merchant id; 32-char hex private key)
- PayPal Braintree Keys - GitGuardian detector documentation (legacy keys Prefixed: False)