DigitalOcean Personal Access Token
Detects DigitalOcean personal access tokens (dop_v1_ prefix). These tokens authenticate to the DigitalOcean API and can manage droplets, databases, DNS and billing; a leak enables full account control.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the distinctive dop_v1_ prefix with a fixed 64-character hex body makes false positives extremely unlikely.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth), Computer Fraud and Abuse Act, Computer Misuse Act 1990
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9_])dop_v1_[a-f0-9]{64}(?![A-Za-z0-9])Corroborative evidence keywords
digitalocean, digital ocean, doctl, api.digitalocean.com, personal access token, droplet
Proximity: 300 characters
Should match
dop_v1_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef— DigitalOcean PAT, dop_v1_ prefix + 64 hexDIGITALOCEAN_TOKEN=dop_v1_deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef— Labelled DigitalOcean PAT in env vardop_v1_abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789— DigitalOcean PAT with hex body
Should not match
dop_v1_0123456789abcdef— Too short to be a DigitalOcean PATdoo_v1_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef— OAuth token prefix (doo_v1_), not a personal access tokencreate a digitalocean personal access token in the API settings— Prose mention without a token value
Known false positives
- 64-char hex digests accidentally prefixed with dop_v1_ in documentation. Mitigation: Require corroborative DigitalOcean keywords and exclude placeholder markers.