Pinecone API Key
Detects Pinecone API keys in both current live formats: pcsk_ (the dominant format issued by the Pinecone console, CLI, and SDK key-creation flows) and pckey_ (the Enterprise-plan Admin API variant, format pckey_<public-label>_<unique-key>). A leaked key grants unauthorized access to a Pinecone vector database, including any embeddings or vectorised source data it stores.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: both prefixes are multiply attested. pcsk_ is the dominant live format -- shown in Pinecone's own CLI reference and AGENTS-JAVASCRIPT doc examples, called out in Pinecone's official skills repo contributor guide as the real key shape that security linters flag, and pinned to an exact body structure (5-6 alnum label + 63 alnum secret) by TruffleHog's production detector. pckey_ is explicitly documented on Pinecone's Admin API reference (Enterprise-plan key-creation endpoint). Pinecone is also a confirmed GitHub secret-scanning partner (pinecone_api_key). Older, pre-pcsk_ Pinecone keys (bare UUIDs) are not covered -- documented as a scope limitation rather than invented as an additional format.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9_])(?:pcsk_[A-Za-z0-9]{5,6}_[A-Za-z0-9]{63}|pckey_[A-Za-z0-9_-]{10,100})(?![A-Za-z0-9_-])
Corroborative evidence keywords
pinecone, pinecone.io, PINECONE_API_KEY, vector database, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host, [object Object] (+37 more)
Proximity: 300 characters
Should match
pcsk_abc123_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789A— Pinecone API key, dominant pcsk_ format (6-char label + 63-char secret)PINECONE_API_KEY=pcsk_key001_zZyYxXwWvVuUtTsSrRqQpPoOnNmMlLkKjJiIhHgGfFeEdDcCbBaA0123456789z— Labelled pcsk_ key in an env assignmentpckey_devkey_ABCDEFGHIJKLMNOPQRSTUVWXYZabcd— Pinecone Enterprise Admin API key, pckey_ prefix + label + unique-key bodyUsing pinecone with key pckey_ci01234567890123456789012345— Pinecone brand mention followed by a pckey_ token value
Should not match
pcsk_abc123_ABCDEFGHIJKLMNOPQRSTUVWXYZabcd— pcsk_ key with secret segment far too short (30 chars, not 63)pckey_ab— pckey_ body far too short (2 chars, below the 10-char floor)remember to rotate the pinecone api key before deploying— Prose mention without a token valuetemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- Documentation or examples showing placeholder pcsk_/pckey_ strings. Mitigation: Require corroborative Pinecone keywords and check for placeholder markers (example, xxxx).
- The common English noun "pinecone" (the plant structure) appearing in unrelated text near an unrelated token or hash. Mitigation: The brand-name keyword term is case-sensitive (Pinecone, capitalised) and additional unambiguous terms (pinecone.io, PINECONE_API_KEY) disambiguate from the generic noun.
- Legacy pre-pcsk_ Pinecone keys (bare UUIDs) are a different, unverifiable format not matched by this pattern. Mitigation: Documented as a known scope limitation; only the current pcsk_ and pckey_ formats are matched.
References
- TruffleHog production Pinecone detector (pins pcsk_ body: 5-6 alnum label + 63 alnum secret)
- Pinecone CLI reference (current pcsk_ key example in pc auth configure)
- AGENTS JAVASCRIPT - Pinecone Docs (current pcsk_ key example in SDK usage)
- Create an API key - Pinecone Docs (confirms Enterprise Admin API pckey_<public-label>_<unique-key> format)
- Supported secret scanning patterns - GitHub Docs