Request new detectors for Flutterwave API

[random-robbie]

Please review the Community Note before submitting

Description

Request new detectors for Flutterwave API secrets commonly found in environment variables and configs. These include secret keys, public keys, passphrases, and webhook signing keys. Keys are prefixed to indicate environment (TEST vs LIVE) and all should be treated as sensitive.

Preferred Solution

Add detectors for the following Flutterwave key formats (examples are redacted):

FLUTTERWAVE_SECRET_KEY=FLWSECK_TEST-<REDACTED>-X
FLUTTERWAVE_PUBLIC_KEY=FLWPUBK_TEST-<REDACTED>-X
FLUTTERWAVE_PASSPHRASE=<REDACTED>
FLUTTERWAVE_WEBHOOK_KEY=<REDACTED>

Observed key formats (prefixes are case-sensitive):

• FLWSECK_TEST-<hex?>-X and FLWSECK_LIVE-<hex?>-X
• FLWPUBK_TEST-<hex?>-X and FLWPUBK_LIVE-<hex?>-X
• The middle segment appears hex-like (observed length 32), but may vary.

Common variable names / aliases seen in the wild and docs:

• FLUTTERWAVE_SECRET_KEY, FLUTTERWAVE_PUBLIC_KEY
• FLW_SECRET_KEY, FLW_PUBLIC_KEY
• FLW_PROD_SECRET_KEY, FLW_SANDBOX_SECRET_KEY
• FLW_CLIENT_ID, FLW_CLIENT_SECRET
• FLUTTERWAVE_PASSPHRASE, FLUTTERWAVE_WEBHOOK_KEY
• FLW_SECRET_HASH (webhook signature secret hash)

Suggested regexes (tune length/charset as needed):

FLWSECK_(?:TEST|LIVE)-[A-Fa-f0-9]{32,64}-X
FLWPUBK_(?:TEST|LIVE)-[A-Fa-f0-9]{32,64}-X

For FLUTTERWAVE_PASSPHRASE, FLUTTERWAVE_WEBHOOK_KEY, and FLW_SECRET_HASH, consider context-based detection keyed on the variable names (high signal) because the values are base64 / random strings without strong prefixes. The webhook secret hash is user-defined and may be base64 or random ASCII.

Example context patterns (env files / YAML / CI):

FLUTTERWAVE_SECRET_KEY=FLWSECK_LIVE-<REDACTED>-X
FLW_PUBLIC_KEY: FLWPUBK_TEST-<REDACTED>-X
FLW_SECRET_HASH: <REDACTED>

Expected output should identify the secret value and (optionally) the variable name if present.

Implementation notes for TruffleHog:

• Treat FLWSECK_ and FLWPUBK_ as high-confidence prefixes; anchor with word boundaries to reduce false positives.
• Consider case-sensitive matching and require the trailing -X suffix.
• For passphrase / secret hash values, rely on variable names rather than entropy alone to keep FP rate low.

Additional Context

Flutterwave API credentials are used to obtain OAuth 2.0 access tokens and to authorize API requests. The OAuth token endpoint is https://idp.flutterwave.com/realms/flutterwave/protocol/openid-connect/token (client credentials grant using client_id and client_secret), and API requests use Authorization: Bearer <ACCESS_TOKEN>. The v4 API supports sandbox and production environments with distinct base URLs, e.g. https://developersandbox-api.flutterwave.com (test) and https://f4bexperience.flutterwave.com/ (production). Keys are retrieved from the dashboard’s API Keys settings and are commonly stored in CI/CD or .env files. Test keys are still sensitive and should be detected.

Webhook signatures: Flutterwave signs webhooks using HMAC-SHA256 with a user-defined secret hash; the signature is sent in the flutterwave-signature header. That secret hash is sensitive and often stored as an environment variable (e.g., FLW_SECRET_HASH or FLUTTERWAVE_WEBHOOK_KEY).

Example OAuth token request (from docs, placeholders only):

curl -X POST 'https://idp.flutterwave.com/realms/flutterwave/protocol/openid-connect/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id={{CLIENT_ID}}' \
  --data-urlencode 'client_secret={{CLIENT_SECRET}}' \
  --data-urlencode 'grant_type=client_credentials'

Example API request (placeholders only):

curl -X GET 'https://developersandbox-api.flutterwave.com/customers?page=1' \
  -H 'Authorization: Bearer {{ACCESS_TOKEN}}' \
  -H 'Content-Type: application/json'

References

• https://developer.flutterwave.com/docs/authentication
• https://developer.flutterwave.com/reference/authentication
• https://developer.flutterwave.com/docs/environments
• https://developer.flutterwave.com/docs/webhooks