Secrets Scanner

Bookmarklet that scans the current page for exposed API keys

Drag the red button below to your bookmarks bar. On any page, click the bookmark to scan the page's HTML and visible text for patterns matching common API keys, tokens, and credentials. Findings appear in an alert. Useful for auditing your own pages before deploy, and for finding accidentally-exposed keys in source maps, comments, or copy-pasted error messages.

The bookmarklet

Drag this to your bookmarks bar:

Scan for secrets

Heads up: bookmarklets run JavaScript on the current page. This one only reads the page contents and shows a result; it does not exfiltrate anything. You can verify by reading the source below.

Or paste manually into a new bookmark

If your browser doesn't support drag-to-bookmarks, create a new bookmark with this URL:


Test it here

Paste any text (HTML, JSON, source code, error logs) and click Scan. Same patterns the bookmarklet uses.

What it detects

Pattern matchers for common credential formats. False positives are possible; review every finding.

sk-ant-...
Anthropic API key
sk-...
OpenAI / generic "sk-" key
ghp_, gho_, ghu_, ghs_, ghr_
GitHub personal access tokens, OAuth tokens, server tokens
github_pat_...
GitHub fine-grained personal access tokens
xoxb-, xoxp-, xoxa-, xoxr-, xoxs-
Slack tokens (bot, user, app, refresh, configuration)
AKIA...
AWS access key ID
AIza...
Google API key
eyJ...
JSON Web Token (any)
SG.
SendGrid API key
key-...
Mailgun API key
Bearer ...
Authorization header values containing bearer tokens
-----BEGIN ... PRIVATE KEY-----
PEM-encoded private keys

Limitations