Exposed API Key Scanner
Find exposed API keys before they leak
AI coding tools love to hardcode secrets — a live Stripe key here, an OpenAI token there. VibeSafe scans your code for exposed API keys and credentials and shows you exactly how to secure them, in plain English.
3 free scans every month · Your code is never stored
What is an exposed API key?
An exposed (or "hardcoded") API key is a secret credential written directly into your source code — for example const key = "sk_live_…" — instead of being loaded from a secure environment variable. Anyone who can see the code, including a public GitHub repo or your browser's "view source", can copy it.
Why it's dangerous
Automated bots scan public repositories for keys within minutes of a commit. A leaked key can let attackers run up huge charges on your Stripe or OpenAI account, read or delete your database, or impersonate your app. It's one of the most common — and most expensive — mistakes in AI-built apps.
Keys VibeSafe looks for
- Stripe, OpenAI, and other live service keys
- Supabase and Firebase keys and database URLs
- JWT secrets and auth tokens
- Database passwords and connection strings
- Generic high-entropy secrets hardcoded in source
How to fix an exposed key
Move it to an environment variable and load it at runtime — e.g. process.env.STRIPE_KEY (JavaScript) or os.environ.get("STRIPE_KEY") (Python) — add .env to .gitignore, and rotate the key (generate a new one), because the old one may already be compromised. VibeSafe shows this fix for every key it finds and can apply it automatically.
Questions
Does it scan my whole repo?
Yes — paste a public GitHub repo URL and VibeSafe scans every source and config file for secrets.
Related guides: