AI
AIExposureTool

API Key Leak Scanner

Check if your JavaScript bundles contain exposed API keys. Scans for 17 secret patterns including Stripe, OpenAI, AWS, Supabase, Twilio, and more.

This tool is part of our Security Scanner

Our security scanner runs 19 checks including API key detection across 17 secret types, security headers, .env exposure, source maps, and more.

What we scan for (17 patterns)

Stripe secret keysOpenAI API keysAnthropic/Claude keysAWS access keysSupabase service rolesGoogle Gemini keysTwilio auth tokensSendGrid API keysGitHub tokensSlack tokensRazorpay secretsMailgun keysHubSpot keysCloudflare tokensIntercom secretsBraintree keysWebhook secrets

Why this matters

34% of AI-built apps have exposed keys

AI coding tools (Cursor, ChatGPT) routinely put secret keys in client components. The key ends up in the compiled JS bundle — public to everyone.

Real financial risk

Stripe secret keys can create charges and read customer data. AWS keys can access any service. This isn't theoretical — it happens every day.

AI deprioritizes insecure sites

AI platforms check trust signals before recommending. Security vulnerabilities signal an untrusted product — fewer AI recommendations.

How it works

1

Go to our full Security Scanner (/security)

2

We download your JS bundles and scan 17 secret patterns

3

Get a security grade (A-F) with exact locations of any exposed keys

Frequently Asked Questions

How do I check if my API keys are exposed?

Use our Security Scanner at /security. It downloads your JavaScript bundles and scans for 17 known API key patterns (Stripe sk_live_, OpenAI sk-, AWS AKIA, Supabase service role, etc.). Takes 30 seconds, completely passive and read-only.

What happens if an API key is exposed in source code?

Anyone can use your key: Stripe keys can create charges and read customer data. OpenAI keys rack up API costs. AWS keys access any service on your account. Supabase service role keys bypass all RLS policies for full database access.

How do API keys get exposed in JavaScript bundles?

Usually through AI coding tools. When you prompt Cursor or ChatGPT to 'add Stripe payments,' the AI puts the secret key in a client-side component. The key gets compiled into the JavaScript bundle that every visitor downloads.

What tools detect leaked secrets in code?

Our Security Scanner checks live websites for 17 secret types in JavaScript bundles. For code repositories, tools like Gitleaks and TruffleHog scan git history. We focus on production websites — what's actually live and exposed.

How do I remove an exposed API key?

1) Immediately rotate the key in your provider dashboard. 2) Move it to .env.local (server-side only). 3) Use server-side API routes. 4) Check git history with BFG Repo-Cleaner. 5) Re-scan to verify the fix.

What percentage of websites have exposed API keys?

In our analysis of 100 AI-built SaaS apps, 34% had at least one exposed API key. The most common: Stripe secret keys (11%), OpenAI keys (8%), and Supabase service role keys (7%).

Related Free Tools

Security Scanner

Full 19-point security audit with API key detection

Security Headers

Check CSP, HSTS, and other headers

SSL Checker

Check HTTPS and HSTS

AI Visibility Audit

Full 25+ signal AI check

AI Crawler Checker

Check AI bot access

llms.txt Generator

Tell AI what your product does

Want the complete picture?

Run a full AI visibility audit — 25+ signals, fix roadmap, and AI-generated files.

Run Full Audit All Free Tools