How do I check if my API key leaked on GitHub?

Updated
Short answer

Scan your full git history (not just HEAD) for patterns matching your vendor's key format — OpenAI (sk-), Stripe (sk_live_), AWS (AKIA), Supabase (eyJhbG JWT). Use trufflehog or gitleaks locally today, or request Securie access for a full-history scan when your repo is enabled.

Automated scrapers index every public GitHub commit within seconds of push. If your key was ever committed (even force-pushed), assume it's compromised.

Quick local check: ``` git log --all -p | grep -E 'sk-(proj-)?[a-zA-Z0-9]{40,}' ```

Better local check: run `trufflehog git file://.` or `gitleaks detect --source . --no-git` — both open-source, both scan full history, both free.

If you find a match: 1. Revoke the key at the vendor immediately 2. Create a replacement with minimum permissions 3. Rotate it across every environment 4. Contact vendor fraud team if abuse is evident

GitHub's built-in secret scanning catches some patterns but misses many. Don't rely on it exclusively.

When your repo is enabled, Securie will walk your full commit history + client bundle + deployment URLs — finds not just the key you suspect leaked, but any others you don't. Request access at /scan.

People also ask

What happens if my Stripe key leaks?
An attacker with your Stripe secret key can issue refunds to their own cards, pull customer metadata, and create fraudul
How do I rotate an OpenAI API key after it leaks?
Go to platform.openai.com/api-keys, delete the leaked key, create a new one with minimum permissions, and update every e