kingfisher/crates/kingfisher-rules/data/rules/klingai.yml

rules:
  - name: Kling AI Secret Key
    id: kingfisher.klingai.1
    pattern: |
      (?xi)
      \b
      kling
      (?:.|[\n\r]){0,120}?
      \b
      (?:access[\s_-]*key|accesskeyid|ak)
      (?:.|[\n\r]){0,64}?
      \b
      (?P<AKID>
        [A-Za-z0-9]{32}
      )
      \b
      (?:.|[\n\r]){0,120}?
      \b
      (secret[\s_-]*key|accesskeysecret|sk)
      \b
      (?:.|[\n\r]){0,64}?
      \b
      (?P<SECRET>
        [A-Za-z0-9]{32}
      )
      \b
    min_entropy: 2.0
    confidence: medium
    examples:
      - 'kling Access Key: ADaPACHhrBACBMABNbLpyfdQC2aBdf8r kling Secret Key: 8kKdpk9EnNdYJGQ8hRptagCFBmFHDB33"'
    references:
      - https://docs.qingque.cn/d/home/eZQDkhg4h2Qg8SEVSUTBdzYeY
      - https://community.n8n.io/t/authorization-kling-api/112647
    validation:
      type: Http
      content:
        request:
          method: GET

          # SINGLE LINE URL (no folded block) so you don't accidentally end up with %20
          url: 'https://api-singapore.klingai.com/account/costs?start_time={{ "" | unix_timestamp | minus: 3600 | times: 1000 }}&end_time={{ "" | unix_timestamp | times: 1000 }}'

          headers:
            Content-Type: application/json
            Accept: application/json

            # SINGLE LINE Authorization header (no YAML "|" block) so it won't be dropped.
            # JWT matches the Python example: HS256 header + {iss,exp,nbf} payload signed with SK.

            Authorization: '{%- assign header = "HS256" | jwt_header -%}{%- assign now = "" | unix_timestamp -%}{%- assign exp = now | plus: 1800 -%}{%- assign nbf = now | minus: 5 -%}{%- assign payload_json = ''{"iss":"'' | append: AKID | append: ''","exp":'' | append: exp | append: '',"nbf":'' | append: nbf | append: ''}'' -%}{%- assign payload = payload_json | b64url_enc -%}{%- assign signing_input = header | append: "." | append: payload -%}{%- assign sig_b64 = signing_input | hmac_sha256: SECRET -%}{%- assign sig = sig_b64 | replace: "+", "-" | replace: "/", "_" | replace: "=", "" -%}Bearer {{ header }}.{{ payload }}.{{ sig }}'

          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: StatusMatch
              status: [401, 403, 500]
              negative: true
            - type: JsonValid