Thank you to everyone who has starred this project! Your support helps raise awareness about API key security and encourages responsible disclosure practices.
Full Version Available: www.UnsecuredAPIKeys.com
The full version offers: Web UI, all API providers, community features, and more.
A command-line tool for discovering and validating exposed API keys on GitHub. This lite version focuses on educational and security awareness purposes.
| Feature | Lite (This Repo) | Full Version |
|---|---|---|
| Search Provider | GitHub only | GitHub, GitLab, SourceGraph |
| API Providers | OpenAI, Anthropic, Google | 15+ providers |
| Valid Key Cap | 50 keys | Higher limits |
| Interface | CLI | Web UI + API |
| Database | SQLite (local) | PostgreSQL |
This tool is for educational and security awareness purposes only.
- Learn how API keys get exposed in public repositories
- Understand the importance of secret management
- Report exposed keys responsibly to repository owners
- Never use discovered keys for unauthorized access
Do NOT publish your database or results publicly. This would expose working API keys to malicious actors.
Download the latest release for your platform from Releases:
| Platform | File |
|---|---|
| Windows | unsecuredapikeys-win-x64.exe |
| Linux | unsecuredapikeys-linux-x64 |
No .NET runtime required - these are self-contained executables.
Windows:
.\unsecuredapikeys-win-x64.exeLinux:
chmod +x unsecuredapikeys-linux-x64
./unsecuredapikeys-linux-x64On first run, go to Configure Settings > Set GitHub Token.
Create a token at: https://github.com/settings/tokens
Required scope: public_repo
- Start Scraper: Searches GitHub for exposed API keys (runs continuously)
- Start Verifier: Maintains up to 50 valid keys (re-checks as needed)
- View Status: Shows current statistics
- Export Keys: Export to JSON or CSV
If you prefer to build from source:
git clone https://github.com/TSCarterJr/UnsecuredAPIKeys-OpenSource.git
cd UnsecuredAPIKeys-OpenSource
dotnet build
cd UnsecuredAPIKeys.CLI
dotnet run- Uses your GitHub token to search for common API key patterns
- Extracts potential keys using regex patterns for OpenAI, Anthropic, and Google
- Stores discovered keys in a local SQLite database
- Validates discovered keys against the actual provider APIs
- Maintains exactly 50 valid keys (lite limit)
- Re-checks existing valid keys periodically
- When a key becomes invalid, verifies new ones until back to 50
UnsecuredAPIKeys-OpenSource/
├── UnsecuredAPIKeys.CLI/ # Main CLI application
├── UnsecuredAPIKeys.Data/ # SQLite database layer
├── UnsecuredAPIKeys.Providers/ # API validation providers
├── unsecuredapikeys.db # SQLite database (auto-created)
└── README.md
- .NET 10 SDK - Download here
- GitHub Personal Access Token - Create here
- Platform: Windows, macOS, or Linux
| Provider | Pattern Examples |
|---|---|
| OpenAI | sk-proj-*, sk-or-v1-* |
| Anthropic | sk-ant-api* |
| Google AI | AIzaSy* |
Copy appsettings.example.json to appsettings.json and configure:
{
"GitHub": {
"Token": "ghp_YOUR_TOKEN"
},
"Database": {
"Path": "unsecuredapikeys.db"
}
}Or configure directly via the CLI menu.
The SQLite database (unsecuredapikeys.db) is auto-created on first run in the working directory.
| Action | How |
|---|---|
| Location | Same folder as the executable |
| Reset | Delete unsecuredapikeys.db and restart |
| Backup | Copy the .db file |
| View data | Use any SQLite browser (e.g., DB Browser for SQLite) |
On first run, default search queries are automatically seeded:
sk-proj-,sk-or-v1-,OPENAI_API_KEY(OpenAI)sk-ant-api,ANTHROPIC_API_KEY(Anthropic)AIzaSy,GOOGLE_API_KEY(Google)
The scraper rotates through these queries automatically.
Built-in delays prevent API abuse:
| Operation | Delay |
|---|---|
| Between searches | 5 seconds |
| Between verifications | 1 second |
| Batch size | 10 keys |
GitHub's API allows ~30 searches/minute with authentication.
| Issue | Solution |
|---|---|
| "No GitHub token configured" | Go to Configure Settings > Set GitHub Token |
| "Rate limit exceeded" | Wait 60 seconds, or use a different token |
| Build fails | Ensure .NET 10 SDK is installed: dotnet --version |
| No keys found | Check your token has public_repo scope |
| Database locked | Close other apps using the .db file |
- Educational Purpose: This tool demonstrates API security vulnerabilities
- Responsible Use: Only use for legitimate security research
- No Abuse: Do not use discovered keys for unauthorized access
- Compliance: Follow all applicable laws and terms of service
This project uses a custom attribution-required license based on MIT.
Any use of this code requires visible attribution:
- Display: "Based on UnsecuredAPIKeys Open Source"
- Link to: https://github.com/TSCarterJr/UnsecuredAPIKeys-OpenSource
- Must be visible in UI/documentation
See LICENSE for full details.
Looking for the original Web UI + WebAPI architecture? Check the legacy_ui branch.
Note: The legacy branch is no longer actively maintained. For the full-featured web experience, use www.UnsecuredAPIKeys.com.
For higher limits, more providers, web interface, and community features:
Remember: Use responsibly and in accordance with applicable laws.
