Square Access Token
Detects Square credential formats: application secrets (sq0csp-, with sandbox- prefixed sandbox variants), legacy personal access tokens (sq0atp-), and current OAuth/personal access tokens (EAAA + 60-character body, context-gated on a nearby Square label because the EAAA base64 shape also occurs in non-Square tokens and encoded blobs). A leaked token or secret enables payment processing and transaction data access in the associated Square account.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the sq0-family prefixes are Square-specific and multiply attested (TruffleHog squareapp production detector, gitleaks square-access-token rule, GitHub secret-scanning partner entries square_production_application_secret / square_sandbox_application_secret). The EAAA access-token form is attested by TruffleHog (exact 60-char body) and gitleaks but is deliberately context-gated: TruffleHog's own production detector requires the word "square" in the scanned data because bare EAAA matches base64-encoded blobs and other vendors' token families, so this pattern embeds the same label requirement at the regex level.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 10
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9_])(?:(?:sandbox-)?sq0c[a-z]{2}-[0-9A-Za-z_-]{40,50}|sq0atp-[0-9A-Za-z_-]{22,60})(?![0-9A-Za-z_-])
Corroborative evidence keywords
square, squareup.com, SQUARE_ACCESS_TOKEN, application secret, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database, host, [object Object] (+37 more)
Proximity: 300 characters
Should match
sq0csp-ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcd— Square production application secret (sq0csp- + 40-char body)sandbox-sq0csb-ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghi— Square sandbox application secret (sandbox- prefix + 45-char body)sq0atp-ABCDEFGHIJKLMNOPQRSTUV— Square legacy personal access token (sq0atp- + 22-char body)SQUARE_ACCESS_TOKEN=EAAAABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567— Labelled Square OAuth/personal access token (EAAA + 60-char body)Using square with token EAAAzyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA01234567— Square brand mention followed by an EAAA access token
Should not match
sq0idp-ABCDEFGHIJKLMNOPQRSTUV— Square application ID (public identifier, deliberately not matched)sq0csp-ABCDEFGHIJKLMNOPQRSTUVWXYZ0123— Application secret body too short (30 chars, below the 40-char floor)EAAAABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567— Bare EAAA value with no Square label anywhere (could be any base64 blob or another vendor's token)rotate the square access token in the developer dashboard— Prose mention without a token valuetemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- A base64-encoded blob or another vendor's EAAA-prefixed token appearing near the word "square" in unrelated text. Mitigation: The EAAA branch requires the Square label within 40 characters (already enforced by the regex) plus corroborative keywords; the 60-character exact body length further constrains matches.
- Documentation or examples showing placeholder sq0csp-/sq0atp-/EAAA strings. Mitigation: Require corroborative Square keywords and check for placeholder markers (example, xxxx).
- Square application IDs (sq0idp-/sq0idb-) are public identifiers, not secrets, and are deliberately out of scope. Mitigation: Documented as a scope decision; only secret-bearing formats (application secrets, personal access tokens, OAuth access tokens) are matched.
References
- TruffleHog production Square detector (EAAA + exactly 60-char body, requires "square" context)
- TruffleHog production Square app detector ((sandbox-)sq0c??- secret 40-50 chars; sq0i??- app id)
- gitleaks rule square-access-token ((?:EAAA|sq0atp-)[\w-]{22,60})
- Square Token - GitGuardian detector documentation (Prefixed: True)
- Supported secret scanning patterns - GitHub Docs (square_access_token, square_production_application_secret, square_sandbox_application_secret)