Is your page leaking an API key?
Paste your page and we scan the HTML and JavaScript it serves to the public for exposed API keys, tokens, and secrets that were never meant to ship to the browser. Free, no signup.
What we check
We fetch the page you submit and scan what it actually serves to the browser - the HTML and the JavaScript bundles - for patterns that look like secrets: API keys, access tokens, and private keys in the formats the common providers use. If a key that belongs in your server environment is sitting in client-side code where anyone can read it, we flag it and tell you what we matched.
This reads only what your page already serves to the public, the same source any visitor can view. We don't touch your server, your repo, or anything behind a login. And we don't store the secrets we find - we report that there's a match and where, so you can rotate it.
Why it matters
Secrets leak into the browser more easily than people think. A key meant for server-side use gets imported into a client component, a debug value never gets stripped from a build, a third-party snippet ships a token in plain sight. It all looks fine in your editor, because the leak only exists in the bundle your site serves - the one thing you never re-read after shipping.
The problem is that anyone can read it. View-source, open the network tab, and a live key is right there to copy, run up charges on, or abuse. By the time you notice, it's from a billing spike or an abuse report. A scan of what your page actually serves catches the obvious exposures before someone else does - though finding nothing here is a good sign, not a guarantee, since we match known patterns, not every possible secret.
Questions
What kinds of secrets do you detect?
Patterns that match common API keys, access tokens, and private keys in the formats well-known providers use, found in the HTML or JavaScript your page serves. We flag what we match and where, so you can rotate it.
Do you store or log the keys you find?
No. We report that a match exists and where it is so you can act on it. We don't keep the secret itself. If we flag something real, treat it as compromised and rotate it - assume it's already been read.
Does a clean result mean I have no leaks?
It means we didn't match a known secret pattern on this page. That's a good sign, but not a guarantee - we check what this page serves against common formats, not every possible secret or every page on your site. It's a fast safety check, not a full security audit.
Is it really free?
Yes. Paste a URL and run it, no account needed. The same scan also runs all of CopyMosaic's other checks, and you can open the full report to see them.