Netlify Access Token
Detects Netlify authentication tokens: the current nf-prefixed family announced by Netlify in November 2023 (nfp_ personal access tokens, nfc_ CLI tokens, nfo_ OAuth tokens, nfu_ app.netlify.com tokens, nfb_ build tokens) and, when labelled with Netlify context, the legacy unprefixed 43-45 character token form that remains valid. A leaked token grants control of the account's sites, deploys and environment variables.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the nf-prefix family is documented by Netlify's own format-change announcement (all five prefixes named, 40-character maximum), and the nfp_ body length is pinned by TruffleHog's production v2 detector. Disclosure: TruffleHog's v2 detector wraps even the distinctive nfp_ regex in a blanket "netlify" PrefixRegex gate; this pattern diverges by offering a value-only 65 tier because the nf?-prefix + bounded-body structure is self-distinctive, and TruffleHog's wrapper there is its standard detector convention rather than a response to a documented false-positive problem (unlike Square's EAAA detector, which carries an explicit FP comment). The legacy unprefixed form is deliberately context-gated: it is indistinguishable from other base64url strings, so both TruffleHog v1 and gitleaks gate it on Netlify context and this pattern embeds the same label requirement at the regex level.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 8
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9_])(?:nfp_[A-Za-z0-9_]{36}|nf[bcou]_[A-Za-z0-9_]{20,36})(?![A-Za-z0-9_])
Corroborative evidence keywords
netlify, app.netlify.com, NETLIFY_AUTH_TOKEN, personal access token, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host, [object Object] (+37 more)
Proximity: 300 characters
Should match
nfp_ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789— Netlify personal access token (nfp_ + 36-char body)NETLIFY_AUTH_TOKEN=nfp_abcdefghijklmnopqrstuvwxyz0123456789— Labelled Netlify PAT in the canonical NETLIFY_AUTH_TOKEN env varnfc_ABCDEFGHIJKLMNOPQRSTUVWXYZ012345— Netlify CLI token (nfc_ prefix, vendor-announced family)netlify api token: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopq— Legacy unprefixed Netlify token (43 chars) with a Netlify label within the proximity gap
Should not match
nfx_ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789— Invalid prefix character (nfx_ is not a Netlify token family)nfp_ABCDEFGHIJKLMNOPQRSTUVWXYZ012345678— nfp_ body too short (35 chars, not 36)regenerate the netlify access token in user settings— Prose mention without a token valuetemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- Documentation or examples showing placeholder nfp_ strings. Mitigation: Require corroborative Netlify keywords and check for placeholder markers (example, xxxx).
- A 43-45 character base64url string (for example a hash or signed URL fragment) appearing near the word "netlify" in unrelated text. Mitigation: The legacy branch requires label adjacency (already enforced by the regex) plus corroborative keywords and never fires value-only.
- The nfc_/nfo_/nfu_/nfb_ body lengths are not individually pinned by any production detector; a bounded 20-36 range consistent with Netlify's announced 40-character cap is used for those prefixes. Mitigation: Documented as an honest bound; the prefixes themselves are vendor-announced and highly distinctive.
References
- Netlify's own token-format announcement (nfp_/nfc_/nfo_/nfu_/nfb_ prefixes, up to 40 characters, November 2023)
- TruffleHog production Netlify v2 detector (nfp_[a-zA-Z0-9_]{36})
- TruffleHog production Netlify v1 detector (label-gated legacy 43-45 char token)
- gitleaks rule netlify-access-token (label-gated 40-46 char legacy form)