Secrets Scanner
Find leaked credentials in pasted code, config, .env files, and logs — AWS keys, GitHub tokens, GCP keys, Slack webhooks, JWTs, private keys, and high-entropy strings.
Daily Developer Tools
Free, browser-based utilities for everyday developer workflows
How to use Secrets Scanner
Paste any code, configuration, log, or .env file and find credentials that may have been committed by accident. Useful before opening a PR, sharing logs in a ticket, or vetting third-party snippets.
What it detects
- AWS access keys (AKIA / ASIA prefixes) and secret access keys.
- GitHub tokens (
ghp_,gho_,ghu_,ghs_,ghr_). - Google Cloud API keys, OAuth client secrets, and service-account private keys.
- Slack tokens (
xoxb-,xoxp-) and incoming webhooks. - Stripe live and test keys, Twilio account SIDs, SendGrid keys.
- JWTs, Bearer tokens, basic-auth credentials in URLs.
- PEM-encoded private keys (RSA, EC, OPENSSH, PGP).
- Optional Shannon-entropy heuristic for unknown high-entropy strings.
Tips & pitfalls
- If a real secret leaks, rotate it immediately — detection alone is not enough. Removing it from history (e.g.
git filter-repo) is also required. - Entropy heuristics can flag UUIDs, hashes, and base64 blobs. Tune the threshold or disable entropy if you get too many false positives.
- This tool runs in your browser only — pasted secrets are never uploaded, but treat any disclosed secret as potentially compromised.
Runs locally in your browser. No uploads.