Your deployed app is leaking your secrets.
KeyLeak scans your public JavaScript and HTML for exposed API keys, tokens, and credentials in seconds, before attackers find them first.
Only scan URLs you own or have explicit permission to test.
↑ Example scan output
14 secret patterns. Real consequences.
Severity varies — from CRITICAL keys that drain your AWS account to LOW-risk public keys flagged for review.
Full API access to Claude models. Treat as top priority.
Grants full OpenAI account access, including billing.
Can charge customers and access all financial data.
Intentionally public, but flag for review if unexpected.
Varies by scope — can enable billing escalation attacks.
Infrastructure access. Can spin up resources at your cost.
Repository read/write and org-level access.
Bypasses Row Level Security — full database access.
Needs manual review — may expose user sessions or admin roles.
Can read private channels and post as your bot.
Can send SMS/calls billed to your account.
Access to your mailing lists and subscriber data.
Can send email from your domain — phishing risk.
Low risk if Firestore rules are correct. Flag for audit.