rules:
  - name: Pipedrive API Token
    id: kingfisher.pipedrive.1
    pattern: |
      (?xi)
      \b
      (?:
        pipedrive
        (?:.|[\n\r]){0,32}?
        (?:api[_-]?token|x-api-token|token|authorization|key)
        |
        x-api-token
      )
      (?:.|[\n\r]){0,16}?
      \b
      (
        [a-f0-9]{40}
      )
      \b
    pattern_requirements:
      min_digits: 4
    min_entropy: 3.3
    confidence: high
    examples:
      - 'x-api-token: 659c9fddb16335e48cc67114694b52074e812e03'
      - 'PIPEDRIVE_API_TOKEN=740dd23ada464336f353b4d08e83c4a801fc1d86'
      - 'x-api-token: 2592440cff58a695e33e5776160c4ee5e73e1b9c'
      - 'pipedrive token: bbbe1b93ebbf4b0a68a752916b58c8df9b1acae8'
      - |
        curl --request GET \
        --url "https://companydomain.pipedrive.com/api/v2/deals" \
        --header "x-api-token: 659c9fddb16335e48cc67114694b52074e812e03"
    references:
      - https://pipedrive.readme.io/docs/core-api-concepts-authentication
      - https://pipedrive.readme.io/docs/how-to-find-the-api-token
    validation:
      type: Http
      content:
        request:
          method: GET
          url: https://api.pipedrive.com/v1/users/me
          headers:
            x-api-token: "{{ TOKEN }}"
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: WordMatch
              words:
                - '"success":true'
                - '"data"'
              match_all_words: true
    # Revocation note: Pipedrive API tokens are managed via UI/admin controls.
    # No documented token-self-revocation endpoint is available for this token format.