Secrets — Payment Processors

Stripe, PayPal, Square, Braintree, Adyen and other payment-platform credentials.

All rules in this category are kind secrets. They run under vulnetix secrets and the secrets stage of vulnetix scan.

Rule IDNameSeverityDetection
VNX-SEC-088Stripe webhook signing secret (whsec_)Criticalkeyword + regex
VNX-SEC-089PayPal / Braintree access tokenCriticalkeyword + regex
VNX-SEC-321Stripe restricted key (rk_live)Criticalkeyword + regex
VNX-SEC-322Stripe restricted key (rk_test)Highkeyword + regex
VNX-SEC-323Stripe publishable key (pk_live)Mediumkeyword + regex
VNX-SEC-324Stripe publishable key (pk_test)Mediumkeyword + regex
VNX-SEC-325Stripe Connect OAuth refresh/access token (ca_)Criticalkeyword + regex
VNX-SEC-326PayPal client secretCriticalkeyword + regex + entropy
VNX-SEC-327PayPal/Braintree client idMediumkeyword + regex + entropy
VNX-SEC-328Square OAuth access token (sq0atp-)Criticalkeyword + regex
VNX-SEC-329Square OAuth client secret (sq0csp-)Criticalkeyword + regex
VNX-SEC-330Square personal access token (EAAA)Criticalkeyword + regex
VNX-SEC-331Adyen API keyCriticalkeyword + regex + entropy
VNX-SEC-332Adyen HMAC keyHighkeyword + regex + entropy
VNX-SEC-333Plaid client idMediumkeyword + regex + entropy
VNX-SEC-334Plaid secretCriticalkeyword + regex + entropy
VNX-SEC-335Coinbase API keyCriticalkeyword + regex + entropy
VNX-SEC-336Coinbase Commerce API keyCriticalkeyword + regex + entropy
VNX-SEC-337Coinbase Pro API keyCriticalkeyword + regex + entropy
VNX-SEC-338Razorpay key id (rzp_live)Highkeyword + regex
VNX-SEC-339Razorpay key id (rzp_test)Mediumkeyword + regex
VNX-SEC-340Razorpay key secretCriticalkeyword + regex + entropy
VNX-SEC-341Paystack secret key (sk_live)Criticalkeyword + regex + entropy
VNX-SEC-342Paystack public key (pk_live)Mediumkeyword + regex + entropy
VNX-SEC-343Flutterwave secret key (FLWSECK-)Criticalkeyword + regex
VNX-SEC-344Flutterwave test secret key (FLWSECK_TEST-)Highkeyword + regex
VNX-SEC-345Flutterwave public key (FLWPUBK-)Mediumkeyword + regex
VNX-SEC-346Mollie live API key (live_)Criticalkeyword + regex + entropy
VNX-SEC-347Mollie test API key (test_)Mediumkeyword + regex + entropy
VNX-SEC-348GoCardless live access token (live_)Criticalkeyword + regex + entropy
VNX-SEC-349GoCardless sandbox access token (sandbox_)Mediumkeyword + regex + entropy
VNX-SEC-350Checkout.com secret key (sk_)Criticalkeyword + regex
VNX-SEC-351Checkout.com public key (pk_)Mediumkeyword + regex
VNX-SEC-352Dwolla API key/secretCriticalkeyword + regex + entropy
VNX-SEC-353Marqeta API key/tokenCriticalkeyword + regex + entropy
VNX-SEC-354Lithic API keyCriticalkeyword + regex + entropy
VNX-SEC-355Recurly API keyCriticalkeyword + regex + entropy
VNX-SEC-356Chargebee API keyCriticalkeyword + regex + entropy
VNX-SEC-357Paddle API key/auth codeCriticalkeyword + regex + entropy
VNX-SEC-358Lemon Squeezy API keyCriticalkeyword + regex + entropy
VNX-SEC-359Mercado Pago access token (APP_USR-)Criticalkeyword + regex
VNX-SEC-360Klarna API credentialCriticalkeyword + regex + entropy
VNX-SEC-361Wise/TransferWise API tokenCriticalkeyword + regex + entropy
VNX-SEC-362Brex API tokenCriticalkeyword + regex
VNX-SEC-363Ramp API client secretCriticalkeyword + regex + entropy
VNX-SEC-364Authorize.net transaction keyCriticalkeyword + regex + entropy
VNX-SEC-365Authorize.net signature keyHighkeyword + regex + entropy
VNX-SEC-366Braintree tokenization keyHighkeyword + regex + entropy
VNX-SEC-367Braintree private keyCriticalkeyword + regex + entropy
VNX-SEC-3682Checkout (Verifone) secret keyCriticalkeyword + regex + entropy
VNX-SEC-369BlueSnap API credentialCriticalkeyword + regex + entropy
VNX-SEC-370Worldpay API/service keyCriticalkeyword + regex + entropy
VNX-SEC-371Checkout.com OAuth client secretCriticalkeyword + regex + entropy
VNX-SEC-372Adyen client/checkout key (pubkey)Mediumkeyword + regex + entropy
VNX-SEC-373Coinbase API secretCriticalkeyword + regex + entropy
VNX-SEC-374Recurly public keyMediumkeyword + regex
VNX-SEC-375Chargebee site/key combinationHighkeyword + regex + entropy
VNX-SEC-376Plaid access token (access-)Criticalkeyword + regex
VNX-SEC-377Square sandbox access token (EAAAl)Mediumkeyword + regex + entropy
VNX-SEC-378Mercado Pago test access token (TEST-)Mediumkeyword + regex
VNX-SEC-379Dwolla webhook secretHighkeyword + regex + entropy
VNX-SEC-380Paddle webhook/notification secretHighkeyword + regex
VNX-SEC-381Paddle API key (pdl_)Criticalkeyword + regex
VNX-SEC-382Lemon Squeezy webhook signing secretHighkeyword + regex + entropy
VNX-SEC-383Klarna API username (PK)Mediumkeyword + regex + entropy
VNX-SEC-384GoCardless webhook secretHighkeyword + regex + entropy
VNX-SEC-385Stripe webhook signing secret (Connect)Highkeyword + regex + entropy
VNX-SEC-386Marqeta admin API password (Basic auth)Criticalkeyword + regex + entropy
VNX-SEC-387Lithic API key (live/test prefix)Criticalkeyword + regex + entropy
VNX-SEC-388BlueSnap data-protection keyHighkeyword + regex + entropy
VNX-SEC-389Wise API token (raw UUID, no keyword)Highkeyword + regex + entropy
VNX-SEC-390Razorpay webhook secretHighkeyword + regex + entropy
VNX-SEC-391Coinbase Pro passphraseHighkeyword + regex + entropy
VNX-SEC-392Adyen merchant account + key combo (live URL prefix key)Mediumkeyword + regex + entropy
VNX-SEC-393Brex client secret (OAuth)Criticalkeyword + regex + entropy
VNX-SEC-394Worldpay client/checkout key (live URL)Mediumkeyword + regex
VNX-SEC-395Ramp client idMediumkeyword + regex + entropy
VNX-SEC-396Authorize.net public client keyMediumkeyword + regex + entropy
VNX-SEC-397Stripe Connect account id (acct_)Mediumkeyword + regex
VNX-SEC-398Mollie OAuth access token (access_)Criticalkeyword + regex + entropy
VNX-SEC-399Square application secret (sq0idp- app id)Mediumkeyword + regex
VNX-SEC-400Paystack secret key (sk_test)Mediumkeyword + regex + entropy

Remediation

Rotate any exposed credential immediately, remove it from source, and load it from a secrets manager or environment variable instead. Purge it from git history with git filter-repo. See CWE-798 and the OWASP Secrets Management Cheat Sheet.