100 Regex Patterns To Hunt Secrets Inside Javascript

When performing reconnaissance or source code reviews, JavaScript files are a goldmine of leaked credentials, secrets, tokens, and other sensitive artifacts. This blog post is a curated resource library of 100 regex patterns designed to help security researchers and engineers identify such exposures quickly during penetration tests or bug bounty assessments.

Use these patterns in automated scans or plug them into tools like grep, ripgrep, or Jsmon's own scanning engine to surface critical findings.

🔑 API Keys & Tokens

1. AWS Access Key ID
AKIA[0-9A-Z]{16}

2. AWS Secret Access Key
(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]

3. Google API Key
AIza[0-9A-Za-z\\-_]{35}

4. Firebase Secret
AAAA[A-Za-z0-9_-]{7}:[A-Za-z0-9_-]{140}

5. GitHub Token
ghp_[0-9a-zA-Z]{36}

6. GitLab Token
glpat-[0-9a-zA-Z-_]{20}

7. Slack Token
xox[baprs]-([0-9a-zA-Z]{10,48})?

8. Stripe Secret Key
sk_live_[0-9a-zA-Z]{24}

9. Stripe Publishable Key
pk_live_[0-9a-zA-Z]{24}

10. Twilio API Key
SK[0-9a-fA-F]{32}

11. SendGrid API Key
SG\.[\w\d\-_]{22}\.[\w\d\-_]{43}

12. Mailgun API Key
key-[0-9a-zA-Z]{32}

13. Dropbox Access Token
sl.[A-Za-z0-9_-]{20,100}

14. Shopify Access Token
shpat_[0-9a-fA-F]{32}

15. Facebook Access Token
EAACEdEose0cBA[0-9A-Za-z]+

16. Heroku API Key
[hH]eroku['\"][0-9a-f]{32}['\"]

17. DigitalOcean Token
dop_v1_[a-z0-9]{64}

18. Asana Personal Access Token
0/[0-9a-z]{32}

19. Linear API Key
lin_api_[a-zA-Z0-9]{40}

20. Telegram Bot Token
\d{9}:[a-zA-Z0-9_-]{35}

🔐 OAuth & JWT

21. OAuth Client Secret
(?i)client_secret['"\s:=]+[a-zA-Z0-9\-_.~]{10,100}

22. OAuth Client ID
(?i)client_id['"\s:=]+[a-zA-Z0-9\-_.~]{10,100}

23. JWT Token
eyJ[A-Za-z0-9-_=]+?\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*

24. Azure Client Secret
(?i)azure(.{0,20})?client.secret(.{0,20})?['\"][a-zA-Z0-9._%+-]{32,}['\"]

25. Microsoft Teams Webhook
https:\/\/[a-z]+\.webhook\.office\.com\/webhookb2\/[a-zA-Z0-9@\-]+\/.*

🔒 Credentials & Passwords

26. Basic Auth String
(?i)(username|user|email)['"\s:=]+[^\s'"@]{1,100}['"].*?(password|pwd)['"\s:=]+[^\s'"]{4,100}

27. Password Assignment
(?i)(password|pwd|pass)['"\s:=]+[^\s'"]{4,100}

28. API Key in Variable
(?i)(api[_-]?key)['"\s:=]+[a-zA-Z0-9\-_.]{8,100}

29. Secret in Variable
(?i)(secret|token)['"\s:=]+[a-zA-Z0-9\-_.]{8,100}

30. Authorization Bearer Token
Bearer\s+[a-zA-Z0-9\-._~+/]+=*

🛢️ Database URLs

31. MongoDB Connection URI
mongodb(\+srv)?:\/\/[^\s'"]+

32. PostgreSQL URI
postgres(?:ql)?:\/\/[^\s'"]+

33. MySQL URI
mysql:\/\/[^\s'"]+

34. Redis URI
redis:\/\/[^\s'"]+

35. Elasticsearch URI
elasticsearch:\/\/[^\s'"]+

36. Supabase DB Key
supabase\.co\/[a-z0-9]{15,}

37. Firebase URL
https:\/\/[a-z0-9-]+\.firebaseio\.com

38. JDBC URL
jdbc:\w+:\/\/[^\s'"]+

39. AWS RDS Hostname
[a-z0-9-]+\.rds\.amazonaws\.com

40. Cloud SQL URI (GCP)
googleapis\.com\/sql\/v1beta4\/projects\/

🛰️ Other Service Credentials

41. Algolia API Key
(?i)(algolia|application)_?key['"\s:=]+[a-zA-Z0-9]{10,}

42. Firebase API Key
firebaseConfig\s*=\s*{[^}]*apiKey\s*:\s*['"][^'"]+['"]

43. Cloudinary URL
cloudinary:\/\/[0-9]{15}:[a-zA-Z0-9]+@[a-zA-Z]+

44. Sentry DSN
https:\/\/[a-zA-Z0-9]+@[a-z]+\.ingest\.sentry\.io\/\d+

45. Netlify Token
netlifyAuthToken\s*=\s*['"][a-z0-9]{40}['"]

46. GitHub OAuth App Secret
[a-f0-9]{40}

47. Segment API Key
(?i)segment(.{0,20})?key['"\s:=]+[a-zA-Z0-9]{10,}

48. Intercom Access Token
(?i)intercom(.{0,20})?token['"\s:=]+[a-zA-Z0-9-_]{20,}

49. Amplitude API Key
apiKey['"]?\s*:\s*['"][a-z0-9\-]{32,64}['"]

50. Plaid Client Secret
plaid(.{0,20})?(client)?secret['"\s:=]+[a-z0-9-_]{30,}

📦 Container & Deployment Secrets

51. Docker Hub Password
(?i)docker(.{0,20})?password['"\s:=]+[^\s'"]{8,}

52. AWS IAM Role ARN
arn:aws:iam::[0-9]{12}:role\/[A-Za-z0-9_+=,.@\-_/]+

53. AWS S3 Bucket URL
s3:\/\/[a-z0-9\-\.]{3,63}

54. Kubernetes Secret Name
(?i)secretName:\s*['"]?[a-z0-9\-]+['"]?

55. Helm Secret Value
(?i)secret\s*:\s*['"][^'"]+['"]

56. GitHub Actions Secret Reference
secrets\.[A-Z0-9_]+

57. GitHub Actions Encrypted Value
encrypted_value:\s*['"][a-zA-Z0-9+/=]{10,}['"]

58. K8s Service Account Token
eyJhbGciOiJSUzI1NiIsImtpZCI6

59. Vault Token
s\.[a-zA-Z0-9]{8,}

60. Hashicorp Vault URL
https:\/\/vault\.[a-z0-9\-_\.]+\.com

🧰 DevOps & CI/CD Credentials

61. CircleCI Token
circle-token=[a-z0-9]{40}

62. Travis CI Token
(?i)travis(.{0,20})?token['"\s:=]+[a-z0-9]{30,}

63. Jenkins Crumb Token
Jenkins-Crumb:\s*[a-z0-9]{30,}

64. Azure DevOps Token
[a-z0-9]{52}

65. GitHub Personal Access Token
ghp_[a-zA-Z0-9]{36}

66. GitHub Fine-Grained Token
github_pat_[0-9a-zA-Z_]{20,}

67. Bitbucket OAuth Key
bitbucket(.{0,20})?key['"\s:=]+[a-zA-Z0-9]{20,}

68. Bitbucket OAuth Secret
bitbucket(.{0,20})?secret['"\s:=]+[a-zA-Z0-9]{20,}

69. GitLab Runner Token
glrt-[a-zA-Z0-9_-]{20}

70. Netlify Access Token
netlifyAuthToken\s*=\s*['"][a-z0-9]{40}['"]

🛠️ SDKs & Tooling Keys

71. Bugsnag API Key
[a-f0-9]{32}

72. Datadog API Key
[a-z0-9]{32}

73. Loggly Token
[a-z0-9]{30}-[a-z0-9]{10}

74. New Relic Key
NRII-[a-zA-Z0-9]{20,}

75. Mixpanel Token
(?i)mixpanel(.{0,20})?token['"\s:=]+[a-z0-9]{32}

76. Heap Analytics App ID
heapSettings\.appId\s*=\s*['"][a-z0-9]{8,12}['"]

77. Keen IO Project ID
projectId['"]?\s*:\s*['"][a-f0-9]{24}['"]

78. Keen IO Write Key
writeKey['"]?\s*:\s*['"][a-zA-Z0-9]{64}['"]

79. Snyk Token
snyk_token\s*=\s*[a-f0-9\-]{36}

80. Rollbar Access Token
access_token['"]?\s*:\s*['"][a-z0-9]{32}['"]

🎮 App & Game APIs

81. Twitch API Key
(?i)twitch(.{0,20})?key['"\s:=]+[a-zA-Z0-9]{20,}

82. Discord Bot Token
[MN][A-Za-z\d]{23}\.[\w-]{6}\.[\w-]{27}

83. Discord Webhook URL
https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[a-zA-Z0-9_-]+

84. Steam Web API Key
(?i)steam(.{0,20})?key['"\s:=]+[a-zA-Z0-9]{32}

85. Riot Games API Key
RGAPI-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}

🌐 URL Leaks & Internal Endpoints

86. Private IP (Internal)
\b(10\.\d{1,3}|\b192\.168|\b172\.(1[6-9]|2\d|3[01]))\.\d{1,3}\.\d{1,3}

87. Localhost Reference
localhost:[0-9]{2,5}

88. Dev/Stage URL
(dev|staging|test)\.[a-z0-9.-]+\.(com|net|io)

89. Internal Subdomain URL
https?:\/\/[a-z0-9.-]+\.internal\.[a-z]{2,}

90. Preprod URLs
https:\/\/preprod\.[a-z0-9-]+\.[a-z]{2,}

🧪 Miscellaneous & Generic

91. Private Key Block
-----BEGIN (RSA|DSA|EC|OPENSSH)? PRIVATE KEY-----

92. PEM File Content
-----BEGIN CERTIFICATE-----

93. PGP Private Key Block
-----BEGIN PGP PRIVATE KEY BLOCK-----

94. Base64 High Entropy String
['\"][A-Za-z0-9+\/]{40,}={0,2}['\"]

95. API Key Generic Detector
(?i)(apikey|api_key|secret|token)['"\s:=]+[a-zA-Z0-9\-._]{8,}

96. Bearer Token Generic
(?i)authorization:\s*Bearer\s+[a-zA-Z0-9\-._~+/]+=*

97. Session ID
(?i)(sessionid|session_id)['"\s:=]+[a-zA-Z0-9]{10,}

98. Cookie Name Generic
(?i)set-cookie:\s*[a-zA-Z0-9_-]+=

99. CSRF Token
(?i)csrf(token)?['"\s:=]+[a-zA-Z0-9-_]{8,}

100. JWT in Local Storage
localStorage\.setItem\(['"]token['"],\s*['"]eyJ[a-zA-Z0-9-_]+\.[a-zA-Z0-9-_]+\.[a-zA-Z0-9-_]+['"]\)

✅ Final Words

Security researchers often stumble upon gold hidden in plain sight — especially in exposed JavaScript files. These 100 regex patterns can help uncover secrets quickly and systematically during bug bounty, red teaming, or automated scanning.

If you don’t want the hassle of manually hunting down all these sensitive keys in JavaScript files, let Jsmon do the work for you. 🚀

Let us know what patterns you use, and we’ll keep the list growing! 🙌

Join our Discord group: https://jsmon.sh/discord-invite

Previous Post: JS Contextual API Hacking Checklist