API key leak check

Check if an API key ended up in your frontend

Scans your live app's client-side code for API keys that should only exist on the server. Covers Stripe, OpenAI, AWS, and generic token patterns.

API keys belong on the server. When they appear in your frontend code - whether through an accidental NEXT_PUBLIC_ prefix, a client component import, or an AI coding tool that took the path of least resistance - anyone who visits your site can extract and use them. This scanner checks your live URL's client-side output for the most common API key patterns.