Free Secret Scanner · Find API Keys in Code
Paste any code, config, or bundle excerpt and get flagged secrets · AWS keys, Stripe live keys, OpenAI keys, GitHub tokens, JWTs, private key blocks and more.
Frequently asked
Which secret formats are detected?
High-signal prefixes and structures: AKIA (AWS), sk_live_/rk_live_ (Stripe), sk- and sk-proj- (OpenAI), ghp_/gho_ (GitHub), AIza (Google), xox (Slack), eyJ JWTs including Supabase service-role tokens, PEM private key blocks, and generic high-entropy assignments.
I found a real key in my code · what now?
Rotate it immediately (the finding means it's compromised, not just risky), move the new key server-side, and scrub git history if it was committed. Then scan your deployed app · the same key may be live in your bundle right now.
Run a full security scan →