The check happens entirely in your browser using a local prefix database.
1
Copy the prefix
Look at your API key and copy only the first 4-6 characters — the recognisable prefix like sk-, AIza, or ghp_. Do not paste the full key.
2
Hit "Check Key"
Our JavaScript matches your prefix against 20+ known providers instantly. No network request is made. Your prefix never leaves this tab.
3
Review the result
See which provider issued the key, the exposure risk level (Critical / High / Medium / Low), a provider-specific tip, and a recommended action plan.
FAQ
Common questions about API key security
Yes. This tool runs entirely in your browser — no data is sent to any server. We only ask for the first 4-6 characters (the public prefix), which is not enough for anyone to use your key. The prefix just tells us which provider issued it.
Risk level reflects how severe the consequences would be if this key were exposed publicly. Critical means real money or repository access is at stake (AWS, Stripe Live, GitHub). High means a third-party can rack up API charges or send messages on your behalf. Medium means limited blast radius with proper scoping. Low means test/sandbox keys with no real-world impact.
Revoke it immediately from the provider dashboard, then generate a new one. If it was committed to a public Git repository, assume it has already been scraped — bots scan GitHub in real time. Check your provider's usage logs for any unauthorized calls, and report suspicious activity to the provider.
For personal use: an encrypted vault like API Locker (browser extension, AES-256-GCM, local-first). For production apps: environment variables injected at runtime via your CI/CD platform, or a secrets manager like AWS Secrets Manager or HashiCorp Vault. Never hardcode keys in source code or store them in unencrypted text files.