Square Access Token

Detects Square credential formats: application secrets (sq0csp-, with sandbox- prefixed sandbox variants), legacy personal access tokens (sq0atp-), and current OAuth/personal access tokens (EAAA + 60-character body, context-gated on a nearby Square label because the EAAA base64 shape also occurs in non-Square tokens and encoded blobs). A leaked token or secret enables payment processing and transaction data access in the associated Square account.

Type
regex
Engine
universal
Confidence
high
Confidence justification
High confidence: the sq0-family prefixes are Square-specific and multiply attested (TruffleHog squareapp production detector, gitleaks square-access-token rule, GitHub secret-scanning partner entries square_production_application_secret / square_sandbox_application_secret). The EAAA access-token form is attested by TruffleHog (exact 60-char body) and gitleaks but is deliberately context-gated: TruffleHog's own production detector requires the word "square" in the scanned data because bare EAAA matches base64-encoded blobs and other vendors' token families, so this pattern embeds the same label requirement at the regex level.
Jurisdictions
global
Regulations
Criminal Code Act 1995 (Cth)
Frameworks
CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
Data categories
credentials, security
Scope
narrow
Risk rating
10
Platform compatibility
Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?<![A-Za-z0-9_])(?:(?:sandbox-)?sq0c[a-z]{2}-[0-9A-Za-z_-]{40,50}|sq0atp-[0-9A-Za-z_-]{22,60})(?![0-9A-Za-z_-])

Corroborative evidence keywords

square, squareup.com, SQUARE_ACCESS_TOKEN, application secret, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host, [object Object] (+37 more)

Proximity: 300 characters

Should match

Should not match

Known false positives

References