Secret & API-key scanner

Did a secret just sneak into your code?

Hardcoded keys are the #1 way projects get popped — especially AI-generated, vibe-coded ones where a live token slips into a commit unnoticed. Paste your code below and find out before you ship.

100% in your browser — your code never leaves this tab. No upload. No signup.

What we detect

40+ secret patterns

From cloud providers to AI APIs, payment keys to private certs — if it looks like a credential, LeakCheck flags it.

  • AWS

    Access key IDs & secret access keys.

  • Stripe

    Live & restricted secret keys.

  • OpenAI & Anthropic

    sk- and API tokens for both.

  • GitHub & GitLab

    Personal access & OAuth tokens.

  • Google

    API keys & OAuth client secrets.

  • Slack / Twilio / SendGrid

    Bot, account & mail tokens.

  • Private keys

    RSA, EC & OpenSSH PEM blocks.

  • Database URLs

    Postgres, MySQL, Mongo with creds.

  • JWTs

    Signed JSON Web Tokens in source.

How it works

Three steps, zero uploads

  1. Paste

    Drop in code, a .env file, or any config you're about to commit.

  2. Scanned in your browser

    40+ patterns run locally in JavaScript. Nothing is sent to a server.

  3. Masked findings + how to fix

    Each hit is shown by severity with the value masked and a fix to follow.

FAQ

Questions, answered

Is it safe to paste secrets here?

Yes. LeakCheck runs entirely in your browser — your code is never sent over the network, uploaded, logged, or stored. The scan happens locally in JavaScript on this page. That said, if a secret was already committed or shared, treat it as compromised and rotate it regardless of what this tool finds.

Does it store my code?

No. Nothing is persisted. Your pasted text lives only in this tab's memory and disappears the moment you close or reload the page. There's no database, no analytics on your content, and no signup.

What about false negatives?

LeakCheck uses heuristic pattern matching, so it can miss custom or obfuscated secrets, and it may occasionally flag something harmless. It's a fast first line of defense — not a guarantee. Pair it with a CI secret scanner and good .gitignore hygiene for full coverage.

A key leaked — what now?

Rotate it immediately in the provider's dashboard so the exposed value stops working. Then scrub it from your git history (the secret stays in old commits even after you delete the line) using a tool like git filter-repo or BFG, and force-push the cleaned history. Assume anything that ever hit a public repo is already harvested.

Can I run this in CI?

A pre-commit hook + CI ruleset pack is coming — catch leaks automatically on every commit and pull request, before they ever reach your remote. Want it for your team? Secure my project →

Stop secrets before they're committed

LeakCheck Pro will run the same checks as a pre-commit hook and CI ruleset, so a leaked key never lands in your history — be first to know when it lands.

Join the Pro waitlist Or have Copper Bay secure it for you