Free tool
Secrets Scanner
Exposed API keys are one of the most common — and most expensive — vibe-coding mistakes. Enter your app's URL to scan its client-side code for leaked secrets. Public keys (Supabase anon, Stripe publishable) are not flagged.
Found exposed secrets?
Read how to rotate an exposed API key and how to secure environment variables, or get a full, human-reviewed clearance:
FAQ
- What does the secrets scanner check?
- It fetches your page and its same-origin scripts and looks for high-risk secrets that should never reach the browser — Stripe secret keys, AWS keys, GitHub and OpenAI tokens, private keys and Supabase service-role keys.
- Why isn't my Supabase anon key flagged?
- Because it's public by design. The Supabase anon key, Stripe publishable key and Firebase web config are meant to ship in your frontend — your security there comes from RLS and rules, not from hiding the key. We only flag secrets that are genuinely dangerous in the client.
- A secret was found — what now?
- Treat it as compromised: rotate it immediately, move it to a server-side environment variable, and purge it from your bundle and git history. Our guide on securing environment variables walks through it.
Scans only publicly reachable client-side code. Use only on apps you own or are authorized to test.