Free Secret & API-Key Scanner
Paste code, a config file or a .env and instantly scan for hard-coded secrets — AWS keys, Stripe/GitHub/Slack/SendGrid/OpenAI tokens, private keys and high-entropy credential assignments. Matches are shown redacted, and the scan runs entirely in your browser.
What this secret scanner checks
How it works
In-browser· nothing you paste is uploaded- 1You paste code, a config file or a .env; we scan it in your browser with provider-specific patterns plus a high-entropy detector.
- 2We match AWS/GCP/Stripe/GitHub/Slack/OpenAI keys, PEM private keys and credential-looking assignments.
- 3Matches are shown redacted (first/last few characters only) and nothing — secret or source — is uploaded, logged or stored.
What it doesn’t do: A clean result means no detector matched; custom/proprietary credential formats can still be missed.
Why it matters
Hard-coded secrets in source, config or client bundles are one of the most common and damaging leaks — a single committed key can expose cloud accounts, payment systems or source code. Catching them before they ship is the cheapest possible fix.
Frequently asked questions
Is it safe to paste secrets here?
The scan runs entirely in your browser — nothing you paste is uploaded, logged or stored. Detected secrets are also shown redacted (first/last few characters only).
What should I do if it finds a secret?
Treat it as compromised: rotate/revoke it at the provider, remove it from the code, and move it to a server-side secret manager or environment variable that is never shipped to clients.
Does a clean result mean there are no secrets?
No — it means none of our detectors matched. Custom or proprietary credential formats can be missed, so still review sensitive code manually.