Netlify Access Token

Detects Netlify authentication tokens: the current nf-prefixed family announced by Netlify in November 2023 (nfp_ personal access tokens, nfc_ CLI tokens, nfo_ OAuth tokens, nfu_ app.netlify.com tokens, nfb_ build tokens) and, when labelled with Netlify context, the legacy unprefixed 43-45 character token form that remains valid. A leaked token grants control of the account's sites, deploys and environment variables.

Type
regex
Engine
universal
Confidence
high
Confidence justification
High confidence: the nf-prefix family is documented by Netlify's own format-change announcement (all five prefixes named, 40-character maximum), and the nfp_ body length is pinned by TruffleHog's production v2 detector. Disclosure: TruffleHog's v2 detector wraps even the distinctive nfp_ regex in a blanket "netlify" PrefixRegex gate; this pattern diverges by offering a value-only 65 tier because the nf?-prefix + bounded-body structure is self-distinctive, and TruffleHog's wrapper there is its standard detector convention rather than a response to a documented false-positive problem (unlike Square's EAAA detector, which carries an explicit FP comment). The legacy unprefixed form is deliberately context-gated: it is indistinguishable from other base64url strings, so both TruffleHog v1 and gitleaks gate it on Netlify context and this pattern embeds the same label requirement at the regex level.
Jurisdictions
global
Regulations
Criminal Code Act 1995 (Cth)
Frameworks
CIS Controls, ISO 27001, NIST CSF, SOC 2
Data categories
credentials, security
Scope
narrow
Risk rating
8
Platform compatibility
Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?<![A-Za-z0-9_])(?:nfp_[A-Za-z0-9_]{36}|nf[bcou]_[A-Za-z0-9_]{20,36})(?![A-Za-z0-9_])

Corroborative evidence keywords

netlify, app.netlify.com, NETLIFY_AUTH_TOKEN, personal access token, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host, [object Object] (+37 more)

Proximity: 300 characters

Should match

Should not match

Known false positives

References