API Key Validators: The Complete Arsenal
API Key Validators: The Complete Arsenal
One-Line Flow: Mystery string โ instant verdict โ โitโs a live Stripe key with full permissions, go collect your bounty.โ
Youโre poking around some startupโs public GitHub. Buried in a config file, you spot this:
AKIA3EXAMPLE7KEYHERE
Is it real? Is it expired? Is it a honeypot? Is it connected to an AWS account with $47,000 in credits?
You could:
- Google โhow to check AWS keyโ (25 minutes of garbage)
- Paste it into some sketchy online checker (congrats, now they have it)
- Ask Discord and get clowned
Or: Run one command, know everything in 4 seconds, move on with your life.
Thatโs what these tools do. The difference between โI think I found somethingโ and โhereโs the screenshot for my $2,000 bounty report.โ
Babyโs First Glossary
Skip this if youโve touched a terminal before.
Words I'll Use (30-Second Crash Course)
| Word | Plain English |
|---|---|
| CLI | Command-line interface. The black/white terminal window. You type, it does. |
| Go | A programming language. Installing Go tools = go install blah@latest |
| pip | Pythonโs app store. pip install thing = download Python tool |
| git clone | Download a project from GitHub to your computer |
| Regex | Pattern matching. How tools recognize โthis looks like a Stripe keyโ |
| Binary | A ready-to-run program. No setup, just download and execute |
| Repo | Repository. A project folder on GitHub |
| API | How apps talk to each other. Your key = your password to that conversation |
Youโre good now. Letโs go.
The Rankings
Ranked by: โI have a mystery key, how fast can I get answers?โ
๐ฅ #1 โ Nuclei Token-Spray: The Slot Machine That Pays Out
The vibe: You have a weird key. No clue what service. This throws it at 100+ APIs simultaneously like a casino pull. When something hits, you know exactly what youโve got.
Why itโs king:
- Found a random
sk_string? Spray it. Stripe, SendGrid, and 98 others get tested in seconds. - Community updates it constantly (new API = new template within weeks)
- Used by actual professionals, not just โGitHub star collectorsโ
Get it running:
# Install (one time)
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
nuclei -update-templates
# Check one key
nuclei -t http/token-spray/ -var token=sk_live_xxxxxx
# Check a whole file of keys
nuclei -t http/token-spray/ -var token=mystery_keys.txt
What you see:
[api-stripe] [http] [info] Token is valid for Stripe
Thatโs it. Mystery solved.
๐ฅ #2 โ TruffleHog: The War Crime Scanner
The vibe: Doesnโt just find secrets. Finds them, calls the actual API to verify they work, tells you what permissions they have, and scans through years of git history including stuff the developer โdeleted.โ
Why itโs terrifying:
- 800+ secret types recognized
- Finds AWS key โ actually calls AWS โ confirms it works โ tells you it has S3 admin access
- Scans deleted commits (people think
git rm= gone forever. lol.) - Works on GitHub, GitLab, Docker images, S3 buckets, Slack exports, local filesโฆ
Get it running:
# Install
brew install trufflehog
# or: go install github.com/trufflesecurity/trufflehog/v3@latest
# Scan any public repo
trufflehog git https://github.com/some-startup/their-app
# Only show CONFIRMED WORKING secrets (skip the noise)
trufflehog git https://github.com/target --only-verified
# Scan local folder
trufflehog filesystem /path/to/sus/code
What you see:
โ Verified: AWS Access Key
Account ID: 123456789012
ARN: arn:aws:iam::123456789012:user/dev-brian
Brianโs having a bad day.
๐ฅ #3 โ keyhacks.sh: The Cheat Sheet That Types Itself
The vibe: 60+ services. You say โcheck this Slack tokenโ, it runs the exact curl command, tells you valid or not. No thinking.
Why it survives:
- Zero dependencies except bash (works on a potato)
- Been around forever, battle-tested
- You can read the code in 5 minutes and understand everything
Get it running:
git clone https://github.com/gwen001/keyhacks.sh
cd keyhacks.sh
chmod +x keyhacks.sh
# Use it
./keyhacks.sh stripe sk_live_xxxxxxxxxxxx
./keyhacks.sh slack xoxb-xxxxxxxxxxxx
./keyhacks.sh aws AKIAXXXXXXXX SECRETKEYHERE
./keyhacks.sh github ghp_xxxxxxxxxxxx
Supports: Algolia, Asana, AWS, Azure, Bitly, BrowserStack, Cloudflare, DataDog, Deviant Art, Dropbox, Facebook, Firebase, GitHub, GitLab, Google (multiple), Heroku, Infura, Instagram, Mailchimp, Mailgun, Mailjet, Mapbox, OpsGenie, PagerDuty, PayPal (sandbox + live), Pendo, Salesforce, SauceLabs, SecurityTrails, SendGrid, Slack, Square, Travis CI, Twilio, Twitterโฆ Iโm tired of typing.
#4 โ APIKeyzer: The Reboot We Needed
The vibe: Someone finally said โwhat if apiguesser + keyhacks had a baby?โ Single Go binary. Key in, answer out. No setup drama.
Why itโs exciting:
- Exactly what the archived Key-Checker was
- Identifies service + validates in one step
- 2025 code, not 2021 spaghetti
Get it running:
go install github.com/Xplo8E/APIKeyzer/cmd/apiKeyzer@latest
apiKeyzer --key "sk_live_xxxxxxxxxxxxx"
apiKeyzer --list keys.txt
cat keys.txt | apiKeyzer
Caveat: Fresh repo, low stars. Works, but youโre an early adopter.
#5 โ apiguesser: From the Guy Who Started All This
The vibe: Same author as the original Key-Checker (daffainfo). You give it a key with ZERO context, it figures out what service based on the format, then checks if valid.
Why it matters: When you genuinely have no idea what something is.
go install github.com/daffainfo/apiguesser@latest
./apiguesser -api "AIzaSyD-xxxxxxxxxxxxx"
# Output: "Google Maps API Key" + validity check
Lazy version: api-guesser.netlify.app โ paste key, click button, done.
apiguesser โ Web UI
#6 โ AdvancedKeyHacks: For the Menu Lovers
The vibe: Interactive menu. Pick service from list, paste key, get result. For people who hate memorizing flags.
git clone https://github.com/udit-thakkur/AdvancedKeyHacks
cd AdvancedKeyHacks && chmod +x *.sh
./hackcura_apikey_hacks.sh
45+ services. Point and click energy.
#7 โ Api-Key-Checker: Python, Simple, Growing
The vibe: Python CLI. Google, Firebase, OpenAI, Stripe, Facebook. Clean output, beginner-friendly.
git clone https://github.com/mahfuz33R/Api-Key-Checker
cd Api-Key-Checker
pip install -r requirements.txt
python apikey_checker.py
# Enter keys comma-separated when prompted
Not the biggest coverage, but itโs readable code you can extend yourself.
#8 โ dora: Finds Keys AND Tells You How to Abuse Them
The vibe: Scans folders using ripgrep (stupid fast), finds secrets, then shows exploitation steps for each type. Most tools stop at โfound key.โ This one says โfound key, hereโs the curl command to drain their Stripe balance.โ
git clone https://github.com/sdushantha/dora
cd dora && python3 setup.py install --user
dora /path/to/scan/
Requires: ripgrep installed first.
#9 โ KeyLeak Detector: Scan Live Websites Like a Psycho
The vibe: Opens target website in headless browser, intercepts ALL traffic (XHR, WebSocket, everything), scans JS bundles, headers, API responses. Finds stuff static scanners physically cannot see.
git clone https://github.com/Amal-David/keyleak-detector
cd keyleak-detector
docker compose up -d
# Open http://localhost:5002
# Enter target URL, hit scan
Uses Playwright + mitmproxy under the hood. Patterns pulled from Gitleaks automatically.
#10 โ Gitleaks: The Speed Freak (Detection Only)
The vibe: Scans at GB/s. Perfect for CI/CD pipelines and pre-commit hooks. Finds potential secrets, does NOT verify them.
brew install gitleaks
gitleaks detect --source . --verbose
Use case: Block commits containing secrets. Pair with TruffleHog or keyhacks to verify what it finds.
#11 โ Nosey Parker: When You're Drowning in False Positives
The vibe: Rust + machine learning. 188 rules, lowest false-positive rate in the game. For when other tools cry wolf too much.
The Pattern Libraries
Not tools โ raw materials. For building your own scanner or understanding how detection works.
secrets-patterns-db โ 1,600+ Regex Patterns
The largest open-source pattern database. Every secret type imaginable. Export to Gitleaks or TruffleHog format with one command.
git clone https://github.com/mazen160/secrets-patterns-db
python3 convert.py --export gitleaks
keyhacks (Original) โ The Reference Bible
80+ services. Raw curl commands with expected responses. Every other tool on this list borrowed from here.
# Example from the repo:
curl -sX POST "https://slack.com/api/auth.test?token=xoxp-TOKEN"
# Valid = returns team info. Invalid = returns error.
all-about-apikey โ The Documentation Nobody Asked For (But We Needed)
150+ services. Each one has:
- Description
- Regex pattern
- Example request
- Example response
- What valid vs invalid looks like
From the same author as Key-Checker. Absolute unit of a reference.
secret-regex-list โ Copy-Paste Into Python
Pre-formatted regex patterns ready to drop into your Python code. No conversion needed.
Decision Matrix
Stop thinking. Use this.
| Situation | Tool | Command |
|---|---|---|
| Random key, no clue what it is | Nuclei token-spray | nuclei -t http/token-spray/ -var token=KEY |
| Scan whole repo + verify working | TruffleHog | trufflehog git URL --only-verified |
| Know the service already | keyhacks.sh | ./keyhacks.sh servicename KEY |
| Scan live website (JS, headers, etc) | keyleak-detector | Browser UI at localhost:5002 |
| Pre-commit CI/CD (speed matters) | Gitleaks | gitleaks detect --source . |
| Need to guess what service | apiguesser | ./apiguesser -api KEY |
| Building your own tool | secrets-patterns-db | 1,600 patterns ready to export |
| Want the simplest possible UX | APIKeyzer | apiKeyzer --key KEY |
How This All Connects
streaak/keyhacks (2019, the original bible)
โ
โโโ gwen001/keyhacks.sh (automation layer)
โโโ AdvancedKeyHacks (interactive menus)
โโโ nuclei token-spray (industrial scale)
daffainfo (Key-Checker creator)
โ
โโโ Key-Checker (archived 2021, RIP)
โโโ apiguesser (spiritual successor)
โโโ all-about-apikey (documentation)
โโโ api-guesser.netlify.app (web version)
APIKeyzer (2025) = apiguesser + keyhacks combined
Detection tier:
โโโ Gitleaks (fast, no verify)
โโโ Nosey Parker (ML-powered, precise)
โโโ TruffleHog (find + verify + everything)
Stuff You Didnโt Ask For (But Will Use)
Online Checkers (For the Lazy)
- api-guesser.netlify.app โ Paste key, auto-detect service
- securitytoolkits.com/tools/apikey-validator โ Multi-service web checker
Warning: Youโre trusting these sites with secrets. Use for testing/learning only, never production keys.
Bug Bounty Playbook
- Find sus string โ Run through nuclei token-spray
- Confirmed valid? โ Run
trufflehog analyzeto enumerate permissions - Writing report? โ Copy curl command from keyhacks README (shows you know your stuff)
- Need impact proof? โ dora shows exploitation paths
- Target has live app? โ keyleak-detector catches runtime secrets
Pro tip: trufflehog git --include-detectors="AWS,Stripe" โ scan only for specific services when you have a hunch.
The Gap Nobody's Filled Yet
Original Key-Checker:
./keychecker --service stripe --key sk_live_xxx
# โ Valid
Nothing in 2025 is exactly that simple. Closest:
- APIKeyzer โ Right UX, brand new, needs community testing
- keyhacks.sh โ Proven, but bash-only
- Nuclei โ Most powerful, but requires nuclei installed
The ecosystem went enterprise-scale instead of โquick check this one thing.โ Trade-off everyone accepted. If someone wants to build the perfect lightweight validator, the pieces are all here.
Why TruffleHog's Verification Changes Everything
Most tools: โThis looks like an AWS keyโ
TruffleHog: โThis is an AWS key, it works, hereโs the account ID, and it has S3 + EC2 permissionsโ
It literally calls sts:GetCallerIdentity for AWS, hits Stripeโs auth endpoint for Stripe keys, etc. 800+ services with real API verification.
--only-verified flag = zero false positives. If it shows up, itโs real.
Master Link Dump
Validators (Ranked):
- Nuclei + token-spray templates
- TruffleHog
- keyhacks.sh
- APIKeyzer
- apiguesser + web
- AdvancedKeyHacks
- Api-Key-Checker
- dora
- keyleak-detector
- Gitleaks
- Nosey Parker
Pattern Libraries:
- secrets-patterns-db (1,600+ patterns)
- keyhacks (the OG reference)
- all-about-apikey (150+ services documented)
- secret-regex-list (Python-ready)
- PayloadsAllTheThings - API Key Leaks
Online Tools:
Now go check if your own keys leaked. Because someone probably already did.
!