Find the leaked secret
Spot the leaked secret in a config or code snippet.
About Secret Hunter
Secret Hunter shows you a realistic config or code snippet and asks you to identify the line that leaks a secret. Every day everyone gets the same challenge so you can compare results. Topics include AWS access keys, GitHub personal access tokens, Stripe live keys, Slack webhooks, database connection strings with embedded passwords, private key blocks, JWTs pasted into source, and more.
Why it helps
- Build intuition for the most common secret leak patterns before a real incident.
- Learn how to recognise known secret prefixes like
AKIA,ghp_,sk_live_, andxoxb-. - Use the related Secrets Scanner to audit full config files and source snippets.
Runs locally in your browser. Progress is stored only in this browser.
What this challenge teaches
Find the leaked secret is a short drill for secret detection. A config or code snippet contains one risky value that should be removed, masked, or rotated before sharing.
Example reasoning path
- Read the prompt and identify the artifact type before looking at the answer choices.
- Compare the expected target with each candidate result and eliminate options that are only formatting changes.
- Secrets can hide in URLs, headers, private keys, JWTs, connection strings, and example environment variables.
After you solve it
Open Secrets Scanner to apply the same skill to your own data. For a broader practice loop, return to Skill Challenges or open Workflow Gallery when the task needs multiple tools.
Challenge state stays local to this browser. Do not paste production secrets into practice prompts.
Practice notes for real projects
Use this page as a warm-up before touching real project data. Read the prompt, write down the signal you are looking for, and only then compare answer choices. That habit carries over to production debugging, where the first visible error is often a symptom rather than the root cause.
After the challenge, recreate the same pattern in the linked tool with a harmless sample. For example, replace real tokens, user identifiers, hostnames, and request bodies with safe values, then verify that the same reasoning still works. This keeps practice useful without exposing private data.
- Save time by checking the smallest artifact that reproduces the issue.
- Write one sentence explaining why the wrong answers fail; that explanation is the skill to reuse later.
- If the challenge involves security, treat decoded or inspected data as untrusted until a separate verification step confirms it.