Code security
Secret & API Key Scanner
Find hardcoded API keys and secrets in your code.
About this tool
Paste your code, .env, or config and instantly find hardcoded API keys and secrets - AWS, Stripe, OpenAI, GitHub, Supabase, and 30+ more patterns. Runs 100% in your browser; nothing is uploaded.
Related reading
Frequently asked questions
- Is my code uploaded anywhere?
- No. The scan runs entirely in your browser using JavaScript - your code, keys, and config never leave your device and are never sent to a server. You can confirm this by disconnecting from the internet; the tool still works.
- What kinds of secrets can it detect?
- More than 30 patterns, including AWS access keys, Stripe secret keys, OpenAI and Anthropic keys, GitHub and GitLab tokens, Google API keys, Slack tokens, Supabase service_role keys, SendGrid and Twilio credentials, private keys, database connection strings, and generic high-entropy secret assignments.
- Does a clean result mean my code is safe?
- No. This is pattern-based detection, so it can miss custom, encoded, or obfuscated secrets, and it cannot tell you whether an already-exposed key is being abused or whether a public key is dangerous because the backing service was never locked down. Treat it as a fast first check, not a guarantee.