Secret Scanner — API Key & Credential Detector
Scan pasted text, code, or config files for accidentally exposed API keys, tokens, passwords, and private keys. Detects 50+ secret types across AWS, GitHub, Stripe, OpenAI, and more — all client-side, nothing leaves your browser.
How to Use Secret Scanner — API Key & Credential Detector
How to Use the Secret and Credential Scanner
Step 1: Paste Your Text
Paste any text into the scanner: environment variable files, Docker Compose configs, CI/CD pipeline definitions, code snippets, log output, or any other text that might contain credentials. You can also click an example preset to test with sample secrets.
Step 2: Review the Results
The scanner checks your input against more than 50 regex patterns in real time. Results are grouped by severity:
| Severity | Meaning | Example |
|---|---|---|
| Critical | Immediate risk — rotate now | AWS access key, Stripe secret key, RSA private key |
| High | Significant risk — rotate soon | GitHub PAT, Slack bot token, Twilio SID |
| Medium | Review carefully | JWT token, bearer token in header, generic password assignment |
Each finding shows the secret type, the line number it was found on, and a redacted preview (click Show redacted match to reveal the first and last few characters).
Step 3: Rotate and Remove
If the scanner finds real credentials:
- Rotate them immediately in the relevant service dashboard — treat them as compromised regardless of whether they were actually accessed.
- Remove or replace them with environment variable references such as process.env.STRIPE_SECRET_KEY.
- If the file was committed to git, delete is not enough — the secret remains in git history. Use git filter-repo or BFG Repo Cleaner to purge the history, then force-push.
- Review access logs in the affected service for unauthorized use.
Secret Categories Detected
| Category | Examples |
|---|---|
| Cloud | AWS access keys, GCP service accounts, Azure connection strings |
| Version Control | GitHub PATs, GitLab tokens |
| Payment | Stripe, Square, Braintree, Shopify |
| Communication | Slack, Discord, Telegram, SendGrid, Mailgun, Twilio |
| AI / ML | OpenAI, Anthropic, Hugging Face |
| Infrastructure | DigitalOcean, NPM, Databricks |
| Cryptographic Keys | RSA, EC, OpenSSH, PGP private keys |
| Auth Tokens | JWT, Bearer tokens, Basic auth in URLs |
| Database | MongoDB, PostgreSQL, MySQL, Redis connection strings |
| Generic | Password assignments, API key assignments (higher false positive rate) |
About False Positives
Generic patterns such as password = ... or api_key = ... have a higher false positive rate because they match configuration examples and placeholder values. The scanner marks these findings with a note. Specific patterns such as AKIA... for AWS or ghp_... for GitHub have very low false positive rates because the prefix is unique to that service.
Frequently Asked Questions
Most Viewed Tools
TOTP Code Generator — 2FA Testing Tool
Generate time-based one-time passwords from a TOTP secret key. Enter your base32 secret, choose a period and digit length, and get the current and next codes with a live countdown timer. Useful for testing and debugging 2FA integrations.
Use Tool →JSON to Zod — Schema Generator
Generate Zod validation schema code from a JSON sample object. Infers z.string(), z.number(), z.boolean(), z.array(), z.object(), and z.null() types automatically. Handles nested objects, arrays of objects with optional field detection, and outputs copy-ready TypeScript with import and z.infer type alias.
Use Tool →JSONL Formatter — Line-by-Line Validator
Format, validate, and inspect JSON Lines (JSONL) and NDJSON files. Validates each line individually, reports parse errors by line number, outputs compact JSONL or a pretty-print preview, and lets you download the cleaned file.
Use Tool →TLS Cipher Suite Checker — Strength Analyzer
Check TLS protocol version compatibility and cipher suite strength ratings against current best practices. Supports IANA and OpenSSL cipher names — rates each suite as Strong, Weak, or Deprecated and explains why.
Use Tool →Password Entropy Calculator — Crack Time Estimator
Calculate the information-theoretic bit entropy of any password or API key. Detects character set pools automatically, shows the total number of possible combinations, and estimates crack time across five attack scenarios from rate-limited web logins to GPU cracking clusters.
Use Tool →Screen Size Converter — Diagonal Dimension Tool
Calculate screen width and height from diagonal size and aspect ratio. Convert between inches and centimeters for displays, TVs, and monitors with instant dimension calculations.
Use Tool →TOML Config Validator — Syntax Error Finder
Validate TOML configuration file syntax and report errors with line numbers. Paste any TOML content — Cargo.toml, pyproject.toml, config.toml — and instantly see a green checkmark with key counts and structure stats, or a precise error message pointing to the exact line. Includes a collapsible JSON structure preview to confirm what was parsed.
Use Tool →Content Security Policy Generator — XSS Shield Builder
Build Content Security Policy headers interactively. Toggle directives like script-src, style-src, and img-src, select allowed source tokens, and add custom origins. Instantly outputs your CSP as an HTTP header, meta tag, Nginx directive, or Apache header.
Use Tool →Related Privacy & Security Tools
API Key Hasher — Secure Storage Tool
Hash API keys using SHA-256, SHA-512, or PBKDF2 before storing them in your database. Generates a Node.js verification snippet and shows the recommended storage format — all 100% client-side using the Web Crypto API.
Use Tool →PGP Key Generator — Browser-Based Key Pair Tool
Generate PGP public and private key pairs for email encryption and code signing. Supports ECC (Curve25519) and RSA up to 4096-bit. Entirely browser-side — keys never leave your device.
Use Tool →TOTP Code Generator — 2FA Testing Tool
Generate time-based one-time passwords from a TOTP secret key. Enter your base32 secret, choose a period and digit length, and get the current and next codes with a live countdown timer. Useful for testing and debugging 2FA integrations.
Use Tool →OAuth 2.0 Scope Builder — Permission String Tool
Build and decode OAuth 2.0 scope strings for Google, GitHub, Stripe, and custom providers. Toggle permissions with risk indicators, generate ready-to-use scope strings, and decode existing scope strings to understand what access they grant.
Use Tool →TLS Cipher Suite Checker — Strength Analyzer
Check TLS protocol version compatibility and cipher suite strength ratings against current best practices. Supports IANA and OpenSSL cipher names — rates each suite as Strong, Weak, or Deprecated and explains why.
Use Tool →IP Allowlist Generator — Firewall Rule Builder
Generate ready-to-paste IP allowlist and blocklist rules for nginx, Apache, iptables, UFW, and AWS Security Groups. Enter IP addresses or CIDR ranges, select your target platform, and get production-ready firewall config instantly.
Use Tool →Password Entropy Calculator — Crack Time Estimator
Calculate the information-theoretic bit entropy of any password or API key. Detects character set pools automatically, shows the total number of possible combinations, and estimates crack time across five attack scenarios from rate-limited web logins to GPU cracking clusters.
Use Tool →Content Security Policy Generator — XSS Shield Builder
Build Content Security Policy headers interactively. Toggle directives like script-src, style-src, and img-src, select allowed source tokens, and add custom origins. Instantly outputs your CSP as an HTTP header, meta tag, Nginx directive, or Apache header.
Use Tool →Share Your Feedback
Help us improve this tool by sharing your experience