Sentry Token
Detects Sentry auth tokens: organization tokens (sntrys_), user auth tokens (sntryu_), the user-app and internal-integration prefixes from Sentry's own token-type source (sntrya_, sntryi_), and, when labelled with Sentry context in an assignment, the legacy unprefixed 64-hex tokens issued before prefixing. A leaked token grants API access to error and performance data -- which routinely embeds further secrets, PII, and source context -- and to release/CI operations. Sentry DSNs are explicitly NOT matched: Sentry documents DSNs as safe to keep public.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the sntry?_ prefix family is confirmed by Sentry's own source code (AuthTokenType enum: sntryu_/sntrys_/sntrya_/sntryi_), and the two dominant formats are pinned by multiple independent production detectors -- sntryu_ + 64 hex identically in gitleaks, TruffleHog, and Kingfisher; the sntrys_ branch adopts the full gitleaks/Kingfisher-attested structure (eyJpYXQiO payload head, embedded base64 region_url marker in any of its three rotations, and the trailing ={0,2}_ + 43-character base64 secret; TruffleHog's flat sntrys_eyJ + 197-character body is consistent with this envelope). Sentry is a GitHub secret-scanning partner for both (push protection enabled). The sntrya_/sntryi_ bodies are not published by any source, so they carry an honest bounded range behind their distinctive prefixes rather than an invented exact length. The legacy unprefixed 64-hex form is deliberately context-gated: it is indistinguishable from any SHA-256 hex digest, so it requires a labelled assignment and never fires value-only.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 8
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9+/_-])(?:sntrys_eyJpYXQiO[A-Za-z0-9+/]{10,200}(?:LCJyZWdpb25fdXJs|InJlZ2lvbl91cmwi|cmVnaW9uX3VybCI6)[A-Za-z0-9+/]{10,200}={0,2}_[A-Za-z0-9+/]{43}|sntryu_[a-f0-9]{64}|sntry[ai]_[A-Za-z0-9+/=_-]{20,200})(?![A-Za-z0-9+/=_-])
Corroborative evidence keywords
sentry, sentry.io, SENTRY_AUTH_TOKEN, sentry-cli, auth token, api key, api_key, apikey, access key, access token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host, [object Object] (+37 more)
Proximity: 300 characters
Should match
sntryu_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef— Sentry user auth token (sntryu_ + 64 hex)SENTRY_AUTH_TOKEN=sntrys_eyJpYXQiOABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789InJlZ2lvbl91cmwiabcdefghijklmnopqrstuvwxyz0123456789==_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopq— Sentry organization token (sntrys_eyJpYXQiO + base64 + region_url marker + base64 + padding + _ + 43-char secret) in the canonical env varsntryi_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz— Internal-integration prefix from Sentry's own token-type source (bounded body)sentry auth token = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef— Legacy pre-prefix token (bare 64 hex) in a labelled Sentry assignment (context-gated branch)SENTRY_AUTH_TOKEN: fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210— Legacy 64-hex token after the canonical env var with colon separatorsentry.auth.token="abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"— Legacy 64-hex token in a quoted dotted-key config assignment
Should not match
0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef with no vendor context— Bare 64-hex value with no Sentry label anywhere (could be any SHA-256 digest)sntryu_0123456789abcdef— sntryu_ body far too short (16 hex chars, not 64)https://0123456789abcdef0123456789abcdef@o123456.ingest.sentry.io/4501234567890123— Sentry DSN (public by design per Sentry's own docs; its 32-hex public key must not fire the 64-hex legacy branch)rotate the sentry auth token in organization settings— Prose mention without a token valuetemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- Sentry DSNs (https://<32-hex>@o<org>.ingest.sentry.io/<project>) look credential-like but are documented by Sentry as safe to keep public; they are deliberately not matched. Mitigation: The legacy branch requires a 64-hex body in a labelled assignment, which a DSN's 32-hex public key cannot satisfy; DSN detection is documented as out of scope rather than flagged as a leak.
- A 64-character hex digest (SHA-256) appearing in a labelled assignment near the word "sentry" in configuration or logs. Mitigation: The legacy branch requires label adjacency plus an assignment separator (enforced by the regex) and corroborative keywords; it never fires value-only.
- The sntrya_/sntryi_ body lengths are not published by Sentry or any scanner; a generous bounded range is used behind the vendor-confirmed prefixes. Hypothetical sntrys_ tokens whose payload lacks the leading '{"iat":' or the embedded region_url field would not match the organization-token branch (both gitleaks and Kingfisher assume the same structure). Mitigation: Documented as an honest bound; the prefixes themselves come from Sentry's own source and are highly distinctive, and the structured org-token branch mirrors both production scanners exactly.
References
- Sentry's own AuthTokenType source (sntryu_/sntrys_/sntrya_/sntryi_ prefixes; pre-prefix tokens have none)
- gitleaks.toml sentry-org-token (sntrys_eyJpYXQiO structured), sentry-user-token (sntryu_[a-f0-9]{64}), sentry-access-token (legacy label-gated 64-hex)
- TruffleHog production Sentry detectors (sentryorgtoken sntrys_eyJ + 197-char body; sentrytoken v2 sntryu_[a-f0-9]{64}; v1 legacy label-gated 64-hex)
- Kingfisher production Sentry rules (org token sntrys_eyJpYXQiO structured; user token sntryu_ 64-hex; legacy label-gated)
- Supported secret scanning patterns - GitHub Docs (Sentry Organization Token and Sentry Personal Token, partner + push protection)
- DSN explainer - Sentry Docs ("DSNs are safe to keep public"; DSN detection is out of scope)