FREENo login. No storage. Instant results.

Your deployed app is leaking your secrets.

KeyLeak scans your public JavaScript and HTML for exposed API keys, tokens, and credentials in seconds, before attackers find them first.

Only scan URLs you own or have explicit permission to test.

↑ Example scan output

keyleak scan → app.vercel.app4 found
OpenAI API KeyCRITICAL
main.chunk.js
sk-••••••••••••••••••••Kq9X
AWS Access KeyCRITICAL
vendor.bundle.js
sk-••••••••••••••••••••Kq9X
Stripe Live SecretHIGH
_next/static/chunks/pages/index.js
sk_live_••••••••••••••••••GzR2
Generic JWTMEDIUM
app.[hash].js
eyJ••••••••••••••••••••••.sig
Scan complete — 2.3s⚠ Rotate keys immediately
14 secret patterns detected
Scans complete in under 10 seconds
— scans completed
Zero data stored — ever
Scans client-side JS & HTML only
Works on any public URL
What KeyLeak Detects

14 secret patterns. Real consequences.

Severity varies — from CRITICAL keys that drain your AWS account to LOW-risk public keys flagged for review.

Anthropic API Key
sk-ant-

Full API access to Claude models. Treat as top priority.

CRITICAL
OpenAI API Key
sk-

Grants full OpenAI account access, including billing.

CRITICAL
Stripe Live Secret
sk_live_

Can charge customers and access all financial data.

CRITICAL
Stripe Publishable Key
pk_live_

Intentionally public, but flag for review if unexpected.

LOW
Google API Key
AIza

Varies by scope — can enable billing escalation attacks.

HIGH
AWS Access Key
AKIA

Infrastructure access. Can spin up resources at your cost.

CRITICAL
GitHub PAT
ghp_

Repository read/write and org-level access.

CRITICAL
Supabase Service Role JWT
JWT role:service_role

Bypasses Row Level Security — full database access.

CRITICAL
Generic JWT
eyJ...

Needs manual review — may expose user sessions or admin roles.

MEDIUM
Slack Bot Token
xoxb-

Can read private channels and post as your bot.

HIGH
Twilio Auth Token
SK

Can send SMS/calls billed to your account.

HIGH
Mailchimp API Key
us1-

Access to your mailing lists and subscriber data.

MEDIUM
Sendgrid API Key
SG.

Can send email from your domain — phishing risk.

HIGH
Firebase API Key
AIza

Low risk if Firestore rules are correct. Flag for audit.

LOW