How to check if an API key or .env file has leaked
Leaked API keys and exposed .env files are the leading cause of cloud account takeovers, unexpected billing spikes, and data breaches. This tool gives you two layers of protection: local pattern detection (instant, always private) and an optional breach database check (opt-in, hash-only).
Layer 1 — Local pattern scan (always on)
Paste your .env content and the tool immediately runs 17 regex patterns against every line in your browser. No data is sent anywhere. Patterns cover the most commonly leaked secret types:
- AWS: Access Key IDs (
AKIA…) and secret key formats - Stripe: Live secrets (
sk_live_) and webhook signing secrets (whsec_) - GitHub: Personal access tokens, OAuth tokens, and app tokens (
ghp_,gho_,ghs_) - OpenAI / Anthropic:
sk-…andsk-ant-…key formats - Google: API keys starting with
AIza - Slack: Bot and user tokens (
xoxb-,xoxp-) - SendGrid, Mailgun, Twilio, Firebase: Provider-specific formats
- Private keys: RSA, EC, OPENSSH, and DSA key blocks
- JWTs: Encoded tokens that may carry sensitive claims
Layer 2 — Breach database check (opt-in)
After a pattern match is found, you can click "Check online" to see if the specific value has appeared in a known breach. This uses two sources:
- HaveIBeenPwned for password-type values — using k-anonymity: your browser hashes the value with SHA-1 and sends only the first 5 characters (1 in 1,048,576 of the key space). The complete hash and your original value never leave your browser.
- Our hash database for API keys and tokens — your browser computes a SHA-256 hash and only that hash is sent. We check it against known-leaked credential hashes. Your actual key is never transmitted.
What to do if a secret is detected or found in a breach
- Rotate immediately — revoke the exposed key and generate a new one from your provider dashboard before doing anything else.
- Audit access logs — check for unauthorized usage in the window between when the key was created and when it was rotated.
- Remove from version control — if the key was ever committed, use
git filter-repoto purge it from history. Assume the history is public even in private repos. - Add a pre-commit hook — use tools like gitleaks or trufflehog in CI to catch secrets before they reach the remote.
- Store secrets in a vault — move long-lived credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager, Doppler) so they never appear in plain text files.