Free Exposed Secret & API Key Scanner
Secrets hardcoded into front-end code are visible to anyone who views the page source. We scan loaded scripts, inline scripts, and HTML for known credential formats from AWS, Google, Stripe, GitHub, SendGrid and more. Every matched value is redacted in the results.
Broad Coverage
Provider-prefixed detection for AWS access keys, Google API keys, Stripe live keys, GitHub tokens, SendGrid, Slack, npm tokens, private keys, and more.
Always Redacted
We never store or display the full secret, only a redacted preview, so the scan itself doesn't become a second leak.
Low Noise
Placeholder and example values are filtered out, and a generic detector uses entropy analysis to avoid false positives on ordinary code.
If we find a secret, treat it as compromised
Anything shipped to the browser is public. If a real credential turns up, you should revoke and rotate it immediately, then move it server-side behind your API. A leaked cloud or payment key can lead to account takeover, fraud, or a full data breach.
A clean scan states plainly that no exposed credentials were found in your client-side code.
Frequently Asked Questions About Exposed Secrets
What is an exposed secret scanner?
An exposed secret scanner inspects the code a website sends to the browser, loaded JavaScript files, inline scripts, and HTML, for credentials that should never be public, such as API keys, access tokens, and private keys. Anything shipped to the front end is visible to anyone who opens the page source, so a hardcoded secret there is effectively published.
What kinds of secrets can it detect?
It recognizes the formats used by major providers, including AWS access keys, Google API keys, Stripe live and restricted keys, GitHub and GitLab tokens, Slack tokens and webhooks, SendGrid and Mailgun keys, Twilio keys, Square and npm tokens, and PEM private key blocks. A generic high-entropy detector also catches custom secrets assigned to obvious key, token, or password fields.
Will the scanner expose my secret in its results?
No. Matched values are always redacted, only a short masked preview is ever shown or stored, never the full secret. The goal is to alert you to a leak without creating a second copy of it. Placeholder and example values are filtered out to keep noise low.
I found an exposed secret on my site. What should I do?
Treat it as compromised. Revoke and rotate the credential immediately, then move it behind your server-side API so it is never sent to the browser. A leaked cloud or payment key can lead to account takeover, fraudulent charges, or a full data breach, so rotation should happen before anything else.
Is the exposed secret scanner free?
Yes, it is free with no registration. For a complete picture that also covers vulnerable JavaScript libraries, Subresource Integrity, security headers, and SSL/TLS, run a full ScanTower scan from the link below.
Want the Complete Picture?
FREEThis Exposed Secret Scan is great for a quick check, but our Full Security Scan gives you a comprehensive security audit in one go.