Skip to content

Supported Secrets

SailPoint Entro detects and validates cleartext secrets across integrations using pattern-based rules, AI enrichment, and generic credential heuristics. Use the tables below to browse supported secret types by detection category.

For full per-secret validation details, refer to Supported Secrets.

Pattern-based services detections

Secret Type Validated Validation Type
Adobe api key
Aiven API Key API Auth
Aiven Password
Akeyless access key API Auth NHI Enriched
Algolia API Key API Auth
Amazon MWS Auth Token
Amplitude API Key API Auth
Amplitude Secret Key API Auth
Anthropic API Key API Auth
Anthropic Admin Key API Auth
Asana Access Token API Auth
Atlassian Admin API Key
Atlassian ID API Key
AWS AppSync GraphQL Key
AWS Bedrock API Key API Auth
AWS Full credentials NHI Enriched API Auth
Azure AI Services API Auth
Azure app registration client secret NHI Enriched
Azure Cosmos Cassandra API Auth
Azure Cosmos DB key API Auth
Azure Cosmos DB key API Auth
Azure Cosmos MongoDB API Auth
Azure Cosmos MongoDB API Auth
Azure Cosmos NoSQL API Auth
Azure Cosmos NoSQL API Auth
Azure Cosmos Table API Auth
Azure Cosmos Table API Auth
Azure DevOps PAT NHI Enriched API Auth
Azure DevOps PAT V2 API Auth
Azure Storage Access Key API Auth
Bitbucket App Password
Bitbucket Client Secret
Box Oauth app client secret API Auth
Braintree Access Token
Brevo
BuildKite API Auth
Closecrm
Code Climate
CodyAI API Key API Auth
Contentful API Auth
Cursor API Key API Auth
Databricks PAT API Auth
Databricks SP API Auth
Datadog API key API Auth
Deputy
Digital Ocean Personal Access Token API Auth
Digital Ocean Spaces Secret Key API Auth
Discord Bot Token API Auth
Docker PAT
Dockerhub Oauth token API Auth
Doppler
Dropbox App Creds API Auth
Dropbox App OAuth Token API Auth
Dropbox Legacy Token
Dropbox Sign API key API Auth
Elastic Cloud Admin Console API Key API Auth
Elastic Cloud API Key API Auth
Facebook access token API Auth
Fastly API Key API Auth
Figma PAT API Auth
Firebase Cloud Messaging API Key
Fleetbase
FramelO API Auth
Fullstory API Key API Auth
GCP Service Account Creds API Auth NHI Enriched
GitBook API Key API Auth
GitHub API Token NHI Enriched API Auth
Gitlab PAT API Auth
GoCardless API Key
Google API Keys API Auth
Google OAuth2 Access Token
Google reCAPTCHA API Key
Grafana API token
Grafana Service Account Token API Auth
Groq API Key API Auth
Hashicorp
Heroku API Key API Auth
Hubspot API Key API Auth
Ionic Personal Access Token API Auth
JDBC (DB Connection string)
JFrog Artifactory Token API Auth
JFrog JWT Access Token API Auth
JFrog Reference Access token API Auth
Klaviyo Api Key API Auth
LangChain API Key API Auth
LangChain Service Key API Auth
LaunchDarkly Mobile Key API Auth
LaunchDarkly SDK Key API Auth
LDAP Password
LinearAPI API Auth
LinkedIn Secret Key
Mailchimp API Key API Auth
MailGun API Key API Auth
MailGun PAT API Auth
Meta App Creds Pair API Auth
Meta User Token API Auth
Midise
Notion API Key API Auth
Octopus Api key
Okta Admin API Token NHI Enriched API Auth
Okta client ID (ID & Secret) API Auth NHI Enriched
OpenAl API Auth
OpenAl Service Account API Auth
OpenWeather API Key API Auth
Perplexity API Key API Auth
Picatic API key API Auth
Pinecone api key API Auth
Pingdom token API Auth
PlanetScale Client Secret
PlanetScale Service Token
Posthog API Auth
Postman
Private key
Private key + Cert
Pubnub publish key
Pubnub subscription key
Pulumi Access Token API Auth
PyPI API Token
Rakuten Web Services API Key
RapidAPI
Really simple systems
Redis Cloud Account Key API Auth
Redis Cloud User Key API Auth
Rubygems
Salesforce Secret
Saucelabs
SendGrid API Key API Auth
Sentry Organization Auth Token API Auth
Sentry Token
Sentry User Auth Token API Auth
Shippo Live API Key API Auth
Shippo Test API Key API Auth
SignalWire
Slack Token Advanced API Auth
Snowflake Connection String API Auth
Snowflake Generic Credentials API Auth
Snowflake JDBC API Auth
Snowflake ODBC API Auth
Snowflake PAT API Auth
Snowflake Python API Auth
Splunk API token
Splunk Auth
Square Access Token
Square OAuth Secret
StackHawk API Key
storage
Stripe API key API Auth
Sumo Logic Access Key API Auth
Sumo Logic Install Token API Auth
Supabase Personal Access Token API Auth
Telegram Bot API Key
Terraform Cloud PAT API Auth
Twilio API Key API Auth
Twilio Master Secret API Auth
Typeform API Auth
Ubidots
Username and password in URI (Connection string) API Auth
V0.Dev User API Key API Auth
WooCommerce Consumer Key
X Consumer Secret API Auth
XML Private key

Temporary keys detections

Although temporary tokens have a short TTL and may not pose an actual risk, their exposure could reveal a flawed process in managing secrets.

Secret types:

Webhooks detections

Exposed webhooks pose a security risk if discovered by adversaries. While they may not reveal sensitive information, they can be exploited to manipulate and tamper with organizational procedures and services that rely on their data.

Secret type Validity
Outlook team
Slack Webhook
Discord Webhook URL
Zapier webhook
Microsoft Teams webhook

Generic detections (AI Enriched*)

SailPoint Entro monitors generic secrets and credentials. They only generate an incident if enriched with context from their surrounding code or content to label their target service type.

Secret type Explanation Examples
Generic curl user and password Observed once User & Password combination appears near a "Curl" command for authorization curl -u myuser:mypass
Generic key Observed for any text combination of the keywords: "key", "api key", "secret", "token", "auth", "pat", "access", "client" - along with a high entropy string, and AI processing for false positive elimination my-serv-secret: dj2983cn928cyr9n82ynr9298cjuc3a
Generic creds Observed for any text combination of the keywords: "pw", "pwd", "pass", "cred" - along with a delimiter, high entropy string, and AI processing for false positive elimination SERVER_CREDENTIALS: A$@KFdj123
Generics Auth B64 Observed for decoded B64 strings for basic authorization strings "Authorization": "Basic aW50ZXJuc2hpcDpjZGk="

Qualifications for Generic Detections

To capture high-fidelity secret detections only, SailPoint Entro has identified a specific characteristic to qualify only strong detections as a Generic Secret:

  • High Entropy secret payload
  • Placeholder text such as "dummy", "test", or "example" strings won't qualify as valid detections for a secret payload. See examples below.
Redacted
Dummy
Test
Masked
******
SAMPLE
DELETED
VAULT
123456
  • The secret string for the "Generic Key" must be at least 14 characters long and include all the following: uppercase letters, lowercase letters, and digits.
  • Secret string for "Generic Creds" should be at least 5 chars long
  • AI analyzed ContextIQ determines it's a true positive detection based on its context.
  • Specific predefined patterns known to generate noise are excluded to reduce false positives and improve detection quality.

AI Enriched services (1000+)

SailPoint Entro automatically tags potential exposed secret services using pre-defined names. It employs GenAI, entropy-based analysis, and secret-like characteristics. So in this case, secrets from those 1000+ services can be detected and tagged regardless if it's supported by entro rules mentioned above.

Low-confidence detections

Experimental, partial, or informational detections that do not necessarily grant access to sensitive information or authorization.