Replicate API Key

Detects Replicate API tokens, which use a distinctive r8_ prefix followed by a fixed-length body of alphanumerics, underscores, and hyphens. A leaked token grants unauthorized, billed access to Replicate's hosted model inference API and any prompts, images, or data routed through it.

Type
regex
Engine
universal
Confidence
high
Confidence justification
High confidence: the r8_ prefix and exact 40-character total token length are explicitly documented on Replicate's own security/API-tokens page, the body charset ([0-9A-Za-z_-]) is confirmed by TruffleHog's production Replicate detector, and Replicate is a confirmed GitHub secret-scanning partner (replicate_api_token), so false positives on the prefix+length+charset combination alone are extremely unlikely.
Jurisdictions
global
Regulations
Criminal Code Act 1995 (Cth)
Frameworks
CIS Controls, ISO 27001, NIST CSF, SOC 2
Data categories
credentials, security
Scope
narrow
Risk rating
9
Platform compatibility
Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?<![0-9A-Za-z_-])r8_[0-9A-Za-z_-]{37}(?![0-9A-Za-z_-])

Corroborative evidence keywords

replicate, replicate.com, api.replicate.com, REPLICATE_API_TOKEN, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host, [object Object] (+37 more)

Proximity: 300 characters

Should match

Should not match

Known false positives

References