Free, browser-based utilities for everyday developer workflows

Find secrets and API keys in config files

Before you commit a config or paste a .env into a ticket, scan it for API keys, tokens, and passwords. The scan runs locally, so the file never leaves your machine.

Open this example in Secrets Scanner

Open the tool, then paste the sample input below. Everything runs locally in your browser.

Open this example in Secrets Scanner →

The problem

Config files and .env snippets are a common source of leaked credentials. A key pasted into a pull request or chat can end up indexed forever. You want to scan the text for high-entropy strings and known key patterns before sharing or committing it.

Sample input

config snippet
DB_HOST=localhost
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
STRIPE_KEY=sk_live_51H8xExampleSecretValue

Expected output

Findings
line 2  AWS_SECRET_ACCESS_KEY  likely AWS secret key
line 3  STRIPE_KEY             likely Stripe live secret (sk_live_)

DB_HOST is ignored as non-sensitive; the AWS and Stripe values match known key shapes and high entropy, so they are flagged.

How to do it

  1. Paste the config or .env contents.
  2. Run the secrets scan.
  3. Review each flagged line and key type.
  4. Remove or rotate any real secret found.
  5. Re-scan to confirm the file is clean.

Common mistakes

  • Committing a .env "just this once" without scanning.
  • Assuming an example key is safe when it is a real one.
  • Ignoring high-entropy values that do not match a known prefix.
  • Leaving the secret in git history after deleting it from the file.
  • Sharing the file in chat before rotating an exposed key.

Related tools

Related guides

FAQ

What kinds of secrets does the scan find?

Known key shapes such as AWS, Stripe, and Google keys, plus high-entropy strings and common names like password or token in config and .env files.

Is my config file uploaded to scan it?

No. The scan runs entirely in your browser, so the file and any secrets in it never leave your machine.

I found a real secret — what now?

Rotate it immediately, remove it from the file, and purge it from version control history; a committed secret should be treated as compromised.

Why was a value flagged that is not a known key type?

High-entropy strings are flagged even without a known prefix, because random-looking values are often credentials. Review and dismiss false positives.

Does deleting the line fix a leaked key?

Not by itself. If the key was committed, it remains in git history, so rotate the key as well as removing it.

Secret scanning runs locally in your browser. Your config file is never uploaded.

Explore more security and debugging tools

Scan for secrets, redact PII, decode tokens and sanitize captures — grouped in one place.

View the security & debugging toolkit →