Free Exposed API Key Checker
Paste your site's URL and we'll check whether your API keys or secrets are leaking in your frontend JavaScript or a public .env file.
How do API keys end up exposed?
It's one of the most common mistakes in modern web apps, especially ones built fast or with AI coding tools. A secret key gets dropped into frontend code, an environment variable meant for the server gets prefixed so it ships to the browser, or a .env file gets deployed to a public path. Once a key is in your JavaScript bundle, it is readable by anyone who opens dev tools. There is no hiding it.
What this tool checks
- Secrets in JavaScript bundles
We fetch your site's scripts and scan for real secret keys: Stripe secret keys, OpenAI and Anthropic keys, AWS access keys, Supabase service-role keys, database connection strings, and more. Public-by-design keys (like Stripe publishable keys) are deliberately ignored so you only see real problems.
- Exposed .env files
We check whether your
.envfile is publicly reachable, which would hand an attacker every secret in it at once.
Any key we find is shown masked. We never display a usable secret and store nothing.
Found a leak? Here's what to do
Rotate the exposed key immediately, it should be considered compromised. Then move it server-side so it never ships to the browser again. Leaked secrets are rarely the only issue in an app though. DeploySafe's full website security scanner also checks for broken access control, open redirects, missing CSRF protection, and vulnerable dependencies, with a copy-paste fix for each finding.