toololis
🔑

API Key Leak Detector

Scan text or files for leaked API keys — 20+ providers

📚
Learn more — how it works, FAQ & guide
Click to expand

Free API key leak detector — 20+ providers, 100% private

Toololis API Key Leak Detector scans text for leaked credentials from 20+ providers. Perfect for code review, commit auditing, or verifying that a text sample (like a bug report) doesn\'t contain real keys. Everything runs in your browser.

How to use this tool

  1. 1

    Paste text or code

    Any text — code snippets, config files, commit diffs, chat logs, emails.

  2. 2

    Review detected leaks

    Each found key shows provider, severity, and risk. Click to highlight in text.

  3. 3

    Rotate leaked keys immediately

    If a key is confirmed leaked — rotate it NOW at the provider dashboard. Old keys are already in Git history + third-party logs.

Detected providers + formats

OpenAI:
sk-..., sk-proj-...
Anthropic:
sk-ant-...
AWS:
AKIA[0-9A-Z]16
GitHub:
ghp_, gho_, ghu_, ghs_, ghr_ (36 chars)
Stripe:
sk_live_, sk_test_, pk_live_, pk_test_
Google:
AIza... (39 chars)
Slack:
xoxb-, xoxp-, xoxa-
SendGrid:
SG.[21 chars].[43 chars]
JWT tokens:
eyJ[base64].eyJ[base64].[signature]

⚠️ If you found a leaked key

  1. Rotate immediately at the provider dashboard — don\'t just delete from code
  2. Audit logs for unauthorized use during the leak window
  3. Check Git history: key is likely in old commits — use git filter-repo or BFG to purge
  4. Notify affected users if customer data was potentially accessed
  5. Add secret scanning to your CI/CD pipeline to prevent recurrence

Frequently Asked Questions

Which API keys does this detect?
OpenAI (sk-...), Anthropic (sk-ant-...), AWS (AKIA...), GitHub (ghp_, gho_, ghu_, ghs_, ghr_), Stripe (sk_live_, sk_test_, pk_live_, pk_test_), Google (AIza...), Slack (xoxb-, xoxp-, xoxa-), Twilio (AC...), SendGrid (SG....), Mailgun (key-...), Discord bot tokens, and generic JWT tokens.
Is this data sent anywhere?
No. All detection runs client-side via regex. Your code never leaves your browser. Safe for proprietary code + production secrets.
False positives?
Possible — any string matching the exact pattern. Always verify. We check prefix + length + character set to minimize false positives.
What if I found a leaked key?
Rotate immediately. Don't just delete from code — rotate at the provider (OpenAI dashboard, AWS IAM, etc.) because the key is already in Git history, logs, or wherever it leaked. Never trust rotation via deletion alone.
Can I scan Git history?
Not directly here. Use git log -p | [this tool] after copying output, or tools like truffleHog / gitleaks for automated Git scanning.
Do you detect passwords too?
Not reliably — passwords have no fixed format. For password detection, look for common variables (password=, PASSWD, DB_PASS).

You might also like

JSON Formatter

Format, validate & minify JSON in your browser

Open

Regex Tester

Test regular expressions in real-time

Open

Base64 Encoder / Decoder

Encode or decode Base64 instantly

Open
🔒
100% Privacy. This tool runs entirely in your browser. Your data is never uploaded to any server.