API Key Detector
Scan source code for exposed API keys from 15+ providers — entirely in your browser
You are about to push code to a public repository and need to verify that no API keys are embedded in string literals, comments, or variable assignments. This tool scans source code for patterns matching known API key formats from 15+ providers.
Supported Providers
| Provider | Pattern | Example Prefix |
|---|---|---|
| AWS Access Key | AKIA[0-9A-Z]{16} | AKIAIOSFODNN7EXAMPLE |
| Google API Key | AIza[0-9A-Za-z\-_]{35} | AIzaSyC... |
| Stripe | sk_live_[a-zA-Z0-9]{24,} | sk_live_4eC39HqLy... |
| GitHub PAT | ghp_[a-zA-Z0-9]{36} | ghp_xxxxxxxxxxxx... |
| OpenAI | sk-[a-zA-Z0-9]{20,} | sk-proj-... |
| npm Token | npm_[a-zA-Z0-9]{36} | npm_xxxxxx... |
| Twilio | SK[a-f0-9]{32} | SK1234abcd... |
| SendGrid | SG\.[a-zA-Z0-9\-_]+ | SG.xxxxx... |
| Slack Bot | xoxb-[0-9A-Za-z\-]+ | xoxb-123-456-abc |
| Heroku | [a-f0-9]{8}-[a-f0-9]{4}-... | UUID format |
How Detection Works
The detector uses a library of regular expressions tuned to each provider’s key format. Each pattern has a confidence level — “high” for patterns that are very specific (like the AKIA prefix for AWS), and “medium” for patterns that could match non-secret strings. Results include the line number and a masked preview of the matched key.
Frequently Asked Questions
Why not just use git-secrets or trufflehog? Those are excellent for CI/CD pipelines. This tool is for quick manual checks — paste code before committing, or audit a snippet from a colleague. No installation needed.
Does it scan files on my computer? No. It only scans text you paste into the input area. All processing happens in your browser.