kingfisher/crates/kingfisher-rules/data/rules/carto.yml

rules:
  - name: CARTO API Access Token (JWT)
    id: kingfisher.carto.1
    pattern: |
      (?x)
      \b
      (
        eyJhbGciOiJIUzI1NiJ9
        \.
        [A-Za-z0-9_-]{20,80}
        \.
        [A-Za-z0-9_-]{20,60}
      )
      \b
    pattern_requirements:
      min_digits: 2
    min_entropy: 3.5
    confidence: medium
    examples:
      - "CARTO_KEY=\"eyJhbGciOiJIUzI1NiJ9.eyJhIjoiYWNfMjQ2M3dpNCIsImp0aSI6ImNkMDI2ZDk5In0.N2mk5Zg-e7_XC3NtLIM9UD8usbFz5pKRalGVYGkgZbZ\""
      - "carto_api_key = 'eyJhbGciOiJIUzI1NiJ9.eyJhIjoiYWNfY2RlZmdoIiwianRpIjoiYWI2MTIzNDUifQ.BcDeFgHiJkLmNoPqRsTuVwXy'"
    references:
      - https://api-docs.carto.com
    # No standalone validation or revocation is added: CARTO's documented APIs
    # use account- and deployment-specific endpoints, and the public docs do not
    # describe a token self-introspection or self-revocation API for these JWTs.