API key exposure scanner

API Key Leak Detector
60-Second Bundle Scan

AI-generated code accidentally bundles API keys into client-side JavaScript. SecuriSky scans your live app's JavaScript bundles for 20+ secret patterns — Stripe, OpenAI, AWS, Supabase, GitHub, Clerk — and gives you an instant fix prompt.

Scan My App for LeaksSee all 27 checks →

No signup required for your first scan. No source code access needed.

Services SecuriSky scans for

Stripe

sk_live_, pk_live_, rk_live_

Financial fraud — attacker can issue refunds, create charges, access customer data

OpenAI

sk-proj-, sk-...

Unlimited API usage billed to your account — $1,000s in fraudulent charges within hours

Supabase

service_role key, anon key

Full database bypass — service role key overrides all RLS policies

AWS

AKIA..., ASIA...

Cloud infrastructure access — S3 data exfiltration, EC2 instance spawning, IAM escalation

Clerk

pk_live_, sk_live_

Auth system access — impersonate any user, bypass authentication

GitHub

ghp_, gho_, github_pat_

Repository access — read private repos, extract code, push malicious commits

Anthropic

sk-ant-...

Unbounded Claude API usage billed to your account

SendGrid / Twilio

SG., AC..., SK...

Send bulk spam/phishing as your domain, access contact database

How the scan works

1

Fetches your JS bundles

SecuriSky downloads every JavaScript file served by your app — the same files any visitor's browser downloads.

2

Applies 20+ secret patterns

Regex patterns for every major SaaS API key format are run against the bundle contents. Each match is confirmed as a real token prefix.

3

Reports severity + evidence

Live production keys are critical. Test keys are medium. Each finding shows the token prefix without exposing the full secret.

4

AI fix prompt included

The prompt tells you exactly which file, which variable, and how to move the secret to a server-side environment variable.

What typical findings look like

  • CRITICAL: Stripe live secret key (sk_live_4xABCD...) found in chunk.abc123.js:1:38492
  • CRITICAL: OpenAI API key (sk-proj-...) found in _next/static/chunks/app-layout.js
  • HIGH: Supabase service_role key found in JavaScript bundle — bypasses all RLS policies
  • MEDIUM: AWS access key ID (AKIA...) detected in bundle — verify if active
  • MEDIUM: Stripe test key (sk_test_...) found — deployment process exposes environment variables

Common questions

How does the API key leak detector work?

SecuriSky fetches all JavaScript bundles served by your deployed application — the same files a browser downloads when a user visits your site. It then applies 20+ regex patterns against the bundle contents to detect known API key formats for major services. When a match is found, the evidence shows the token prefix (e.g., sk_live_4xAB...) without exposing the full key.

Which API keys and tokens does it detect?

Stripe (secret + publishable), OpenAI, Supabase (service role + anon), Clerk, GitHub (PATs + OAuth), AWS (access key IDs), Twilio, SendGrid, Anthropic, Google API, Firebase server keys, Slack bot tokens, Linear API keys, and 10+ additional patterns. The list is updated regularly.

My key is not live (it's a test key). Is it still a problem?

It depends. Stripe test keys (sk_test_) have limited access — low severity. But exposing them still signals that your deployment process is leaking environment variables, which means your live key could be next. SecuriSky flags test keys as medium severity and live keys as critical.

How did my API key end up in a JavaScript bundle?

The most common cause: using a variable without the NEXT_PUBLIC_ prefix in a client component (or with it when you shouldn't), importing a server-only module in a shared module that gets tree-shaken into the client bundle, or including credentials in a config file that gets bundled. SecuriSky's AI fix prompt explains exactly what happened and how to move the secret server-side.

I rotated my key — how do I verify the fix?

After rotating your key and redeploying, trigger a new scan on SecuriSky. The API key scanner will confirm whether the old pattern is still detectable in your bundles. If the rotation was successful and your build doesn't include the new key, the finding will be gone.

Check if your keys are exposed now.

Free scan. No signup. No source code needed. Results in 60 seconds.

Scan for Leaked API Keys →

After your free scan, Pro is $19/mo. Cancel anytime.