.env · security🔥 popular

ENV Leak Checker

Scan your .env file for leaked API keys, exposed secrets, and compromised credentials. Checks AWS, Stripe, GitHub, OpenAI and 14 more patterns. Optional breach database lookup — your values never leave your browser.

Be the first to rate

Quick-check a single value

Only a hash is sent — your value stays in your browser.

17 patterns
4 potential leaks detected
4
high
0
medium
AWS Access Keyline 1
AKIAXXXXXXXXXXXXXXXX
(hash only, never your value)
Stripe Live Secretline 2
sk_live_XXXXXXXXXXXXXXXXXXXXXXXX
(hash only, never your value)
GitHub Tokenline 3
ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
(hash only, never your value)
OpenAI API Keyline 4
sk-XXXXXXXXXXXXXXXXXXXXXXXXXXXX
(hash only, never your value)

What it does

  • Detects 17 secret patterns: AWS, Stripe, GitHub, OpenAI, Anthropic, Slack, Google, SendGrid, Mailgun, Twilio, Firebase, JWT, private keys, and more
  • Optional breach database check — queries HaveIBeenPwned and our hash DB without ever sending your actual value
  • K-anonymity: only the first 5 chars of a SHA-1 hash are transmitted for password checks
  • Severity scoring (HIGH / MEDIUM) for every detection
  • Quick-check a single API key or secret without scanning a full file
  • All regex scans run entirely in your browser — your .env never hits a server

Privacy

Runs 100% in your browser. Your .env never touches our servers.

client-side only

Usage examples

Case 1 · AWS + Stripe detected
AWS_ACCESS_KEY_ID=AKIAXXXXXXXXXXXXXXXX
STRIPE_SECRET=sk_live_XXXXXXXXXXXXXXXXXXXXXXXX
DATABASE_URL=postgres://localhost
✗ line 1  HIGH  AWS Access Key
✗ line 2  HIGH  Stripe Live Secret
✓ line 3  clean
Case 2 · OpenAI + GitHub token
OPENAI_API_KEY=sk-XXXXXXXXXXXXXXXXXXXXXXXXXXXX
GITHUB_TOKEN=ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PORT=3000
✗ line 1  HIGH  OpenAI API Key
✗ line 2  HIGH  GitHub Token
✓ line 3  clean
Case 3 · Clean file
# App config
NODE_ENV=production
PORT=3000
LOG_LEVEL=info
✓ No known secrets detected.
  4 lines scanned, 17 patterns checked.

When to use this tool

  • Before pasting a .env into Slack, Discord, or a support ticket
  • Pre-push check to confirm no live secrets slipped into a commit
  • Checking if a leaked API key from an incident has appeared in breach databases
  • Auditing a teammate's .env.local before they join a shared codebase
  • Incident response — quickly confirm which credentials in a leaked file are still active
  • CI/CD sanity check on exported environment dumps before archiving

Common mistakes

  • Treating a clean scan as proof of safety — this tool catches known patterns, not custom secret formats
  • Ignoring MEDIUM-severity hits like sk_test_ Stripe keys — test keys still access your test account and billing data
  • Forgetting to rotate a secret after finding it leaked — detection without rotation fixes nothing
  • Pasting the tool output (even masked) into a public channel — the pattern name alone reveals what leaked
  • Assuming private-key blocks are safe because they span multiple lines — the scanner handles multi-line, but verify after any manual editing

How to check if an API key or .env file has leaked

Leaked API keys and exposed .env files are the leading cause of cloud account takeovers, unexpected billing spikes, and data breaches. This tool gives you two layers of protection: local pattern detection (instant, always private) and an optional breach database check (opt-in, hash-only).

Layer 1 — Local pattern scan (always on)

Paste your .env content and the tool immediately runs 17 regex patterns against every line in your browser. No data is sent anywhere. Patterns cover the most commonly leaked secret types:

  • AWS: Access Key IDs (AKIA…) and secret key formats
  • Stripe: Live secrets (sk_live_) and webhook signing secrets (whsec_)
  • GitHub: Personal access tokens, OAuth tokens, and app tokens (ghp_, gho_, ghs_)
  • OpenAI / Anthropic: sk-… and sk-ant-… key formats
  • Google: API keys starting with AIza
  • Slack: Bot and user tokens (xoxb-, xoxp-)
  • SendGrid, Mailgun, Twilio, Firebase: Provider-specific formats
  • Private keys: RSA, EC, OPENSSH, and DSA key blocks
  • JWTs: Encoded tokens that may carry sensitive claims

Layer 2 — Breach database check (opt-in)

After a pattern match is found, you can click "Check online" to see if the specific value has appeared in a known breach. This uses two sources:

  • HaveIBeenPwned for password-type values — using k-anonymity: your browser hashes the value with SHA-1 and sends only the first 5 characters (1 in 1,048,576 of the key space). The complete hash and your original value never leave your browser.
  • Our hash database for API keys and tokens — your browser computes a SHA-256 hash and only that hash is sent. We check it against known-leaked credential hashes. Your actual key is never transmitted.

What to do if a secret is detected or found in a breach

  1. Rotate immediately — revoke the exposed key and generate a new one from your provider dashboard before doing anything else.
  2. Audit access logs — check for unauthorized usage in the window between when the key was created and when it was rotated.
  3. Remove from version control — if the key was ever committed, use git filter-repo to purge it from history. Assume the history is public even in private repos.
  4. Add a pre-commit hook — use tools like gitleaks or trufflehog in CI to catch secrets before they reach the remote.
  5. Store secrets in a vault — move long-lived credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager, Doppler) so they never appear in plain text files.

Frequently asked questions

Does this tool send my .env to a server?

No. The pattern scan is 100% client-side JavaScript. Your file content never leaves your browser unless you explicitly click 'Check online' — and even then, only a cryptographic hash (never the raw value) is transmitted.

How is this different from trufflehog or gitleaks?

trufflehog and gitleaks are CLI tools designed to scan entire git histories for secrets across thousands of commits. This tool is for a different moment: a quick, zero-install check on a single .env file before sharing or committing it. Use both.

Can I check a single API key without pasting a full .env?

Yes — use the Quick-check widget at the top of the tool. Paste one value (no KEY= prefix needed) and click Check. It hashes locally and queries the breach database without running the full regex scan.

Why is my Stripe test key flagged as MEDIUM and not HIGH?

Test keys (sk_test_) cannot make real charges, so they are rated MEDIUM. However, they still expose your test environment, customer test data, and billing metadata — treat them as sensitive and rotate if they leak.

Related tools

Learn more

coming soon

Get notified when env syncing launches

We're building a tiny tool to keep .env files in sync across teammates and environments. Leave your email — no spam, just a single launch ping.