Sourcegraph Secret Formats
Sourcegraph uses a number of secret formats to store authentication tokens and keys. This page documents each secret type, and the regular expressions that can be used to match each format.
| Token Name | Description | Type | Regular Expression | |
|---|---|---|---|---|
| Sourcegraph Access Token (v3) | Token used to access the Sourcegraph GraphQL API | User-generated | `sgp_(?:[a-fA-F0-9]{16} \ | local)_[a-fA-F0-9]{40}` |
| Sourcegraph Access Token (v2, deprecated) | Token used to access the Sourcegraph GraphQL API | User-generated | sgp_[a-fA-F0-9]{40} |
|
| Sourcegraph Access Token (v1, deprecated) | Token used to access the Sourcegraph GraphQL API | User-generated | [a-fA-F0-9]{40} |
|
| Sourcegraph Dotcom User Gateway Access Token | Token used to grant sourcegraph.com users access to Cody | Backend (not user-visible) | sgd_[a-fA-F0-9]{64} |
|
| Sourcegraph License Key Token | Token used for product subscriptions, derived from a Sourcegraph license key | Backend (not user-visible) | slk_[a-fA-F0-9]{64} |
|
| Sourcegraph Enterprise subscription (aka "product subscription") Token | Token used for Enterprise subscriptions, derived from a Sourcegraph license key | Backend (not user-visible) | sgs_[a-fA-F0-9]{64} |
For further information about Sourcegraph Access Tokens, see:
Sourcegraph is in the process of rolling out a new Sourcegraph Access Token format. When generating an access token you may receive a token in v2 or v3 format depending on your Sourcegraph instance's version. Newer instances are fully backwards-compatible with all older formats.
Sourcegraph Access Token (v3) Instance Identifier
The Sourcegraph Access Token (v3) includes an instance identifier which can be used by Sourcegraph to securely identify which instance the token was generated for. In the event of a token leak, this allows us to inform the relevant customer.
sgp _ <instance identifier> _ <token value>
The instance identifier is intentionally not verified when a token is used, so tokens will remain valid if it is modified. This doesn't impact the security of our access tokens. For example, the following tokens have the same token value so are equivalent:
sgp_foobar_abcdef0123456789sgp_bazbar_abcdef0123456789