How do I check if my API key leaked on GitHub?

Short answer

Scan your full git history (not just HEAD) for patterns matching your vendor's key format — OpenAI (sk-), Stripe (sk_live_), AWS (AKIA), Supabase (eyJhbG JWT). Securie's free scanner at /tools does this in seconds across a public repo.

Automated scrapers index every public GitHub commit within seconds of push. If your key was ever committed (even force-pushed), assume it's compromised.

Quick local check: ``` git log --all -p | grep -E 'sk-(proj-)?[a-zA-Z0-9]{40,}' ```

Automated check for public repos: /tools — paste the repo URL, we scan commit history + validate the key against the vendor's API.

If you find a match: 1. Revoke the key at the vendor immediately 2. Create a replacement with minimum permissions 3. Rotate it across every environment 4. Contact vendor fraud team if abuse is evident

GitHub's built-in secret scanning catches some patterns but misses many. Don't rely on it exclusively.

People also ask

What happens if my Stripe key leaks?
An attacker with your Stripe secret key can issue refunds to their own cards, pull customer metadata, and create fraudul
How do I rotate an OpenAI API key after it leaks?
Go to platform.openai.com/api-keys, delete the leaked key, create a new one with minimum permissions, and update every e