Client Secret / Api Key
Detects documents containing client secret and API key patterns. This pattern is based on a Microsoft Purview built-in sensitive information type. In Purview, this is a broad bundled detector. This keyword-based version flags documents that may contain client secrets or API keys for further review.
- Type
- regex
- Engine
- universal
- Confidence
- low
- Confidence justification
- Low confidence: broad pattern matching that will match client secret and API key assignments in documentation, code comments, and non-sensitive contexts. Added context gating and exclusion rules improve precision and reduce incidental matches.
- Detection quality
- Partial
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
- Data categories
- credentials, security
- Scope
- wide
- Risk rating
- 10
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported
Pattern
(?i)\b(?:client[_-]?secret|client[_-]?id|api[_-]?key|api[_-]?secret|app[_-]?secret|application[_-]?secret)\s*[:=]\s*"?[A-Za-z0-9_.\-]{10,}"?Corroborative evidence keywords
client secret, client_secret, api key, api_key, app secret, application secret, OAuth, authentication, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database (+43 more)
Proximity: 300 characters
Should match
client_secret=AAAA0000BBBB1111CCCC2222— Client secret assignmentapi_key: "ABCDEFGHIJKLMNOPQRSTUVWXYZab"— API key in YAML formatapp_secret="000000000000000000000000"— Application secret with placeholder
Should not match
client_secret=""— Empty secret valueThe client_secret parameter is required— Documentation reference without actual secrettemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- OAuth documentation and API integration guides referencing client_secret and api_key parameters. Mitigation: Check for common placeholder values and documentation context.
- Source code containing client secret variable declarations without actual values. Mitigation: Verify that matched values are actual credentials rather than variable names or comments.