GitHub-Leaked-API-Keys-and-Secrets.md

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.

Search Syntax:

(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))

Examples:

1. OpenAI API keys

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND ("sk-" AND (openai OR gpt))

Update: We can use following refined regular expression to filters out most dummy keys:

... AND (/sk-[a-zA-Z0-9]{48}/ AND (openai OR gpt))

Special thanks to @fkulakov for the insightful contribution.

Screeenshot:

2. Github OAuth/App/Personal/Refresh Access Token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("ghp_" OR "gho_" OR "ghu_" OR "ghs_" OR "ghr_") AND (Github OR OAuth))

3. Slack Token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (xox AND Slack)

4. Google API key

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (AIza AND Google)

5. Square OAuth/access token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("sq0atp-" OR "sq0csp-") AND (square OR OAuth))

6. Shopify shared secret, access token, private/custom app access token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("shpss_" OR "shpat_" OR "shpca_" OR "shppa_") AND "Shopify")

Parameters Used

File Extensions

File Extension	Description
.xml	XML file format
.json	JSON (JavaScript Object Notation) file format
.properties	Properties file format used for configuration settings
.sql	SQL (Structured Query Language) file format used for database queries
.txt	Plain text file format
.log	Log file format used for recording events or activities
.tmp	Temporary file format
.backup	Backup file format
.bak	Backup file format
.enc	Encrypted file format
.yml	YAML (YAML Ain't Markup Language) file format used for configuration settings
.yaml	YAML (YAML Ain't Markup Language) file format used for configuration settings
.toml	TOML (Tom's Obvious, Minimal Language) file format used for configuration settings
.ini	INI (Initialization) file format used for configuration settings
.config	Configuration file format
.conf	Configuration file format
.cfg	Configuration file format
.env	Environment file format
.envrc	Environment file format specific to the Direnv tool
.prod	Production file format
.secret	Secret file format
.private	Private file format
.key	Key file format

Keynames

Keynames	Description
access_key	Variable name to store the key used for accessing a resource or service
secret_key	Variable name to store the key used for authentication or encryption
access_token	Variable name to store the token used for accessing an API or resource
api_key	Variable name to store the key used for accessing an API or service
apikey	Shortened version of "api_key"
api_secret	Variable name to store the secret key used for API authentication
apiSecret	An alternate of "api_secret"
app_secret	Variable name to store the secret key used for application authentication
application_key	Variable name to store the key used for identifying an application
app_key	Variable name to store the key used for identifying an application
appkey	Shortened version of "app_key"
auth_token	Variable name to store the token used for authentication or authorization
authsecret	Variable name to store the secret key used for authentication or authorization

Other Useful Tools:

• Online IDE Search: https://redhuntlabs.com/online-ide-search/
• Keyhacks on GitHub: https://github.com/streaak/keyhacks
• Google Hacking Database: https://www.exploit-db.com/google-hacking-database

all Diamonds are mined

yes gng @jainilshah007

how to sort by latest

Do yall guys found some one that works?

Here’s a Node.js script that takes a list of your keys, checks each against the OpenAI models API, and prints whether each key is VALID or INVALID:

import fetch from "node-fetch";

const keys = [
"xyz1234567890abcdefg", // Replace with your actual API keys
"abc9876543210fedcba", // Add more keys as needed
];

async function verifyKey(apiKey) {
try {
const res = await fetch("https://api.openai.com/v1/models", {
method: "GET",
headers: {
Authorization: Bearer ${apiKey}
}
});

if (res.status === 200) {
  return { key: apiKey, status: "✅ VALID" };
} else if (res.status === 401) {
  return { key: apiKey, status: "❌ INVALID" };
} else {
  return { key: apiKey, status: `⚠️ ERROR: ${res.status}` };
}

} catch (err) {
return { key: apiKey, status: ⚠️ ERROR: ${err.message} };
}
}

(async () => {
console.log("Checking API keys...\n");
for (const key of keys) {
const result = await verifyKey(key);
console.log(${result.key} -> ${result.status});
}
})();

use this pattern for new api key pattern identification
/sk-proj-[a-zA-Z0-9_-]{100,}

congratulations, it's a NON SECRET KEY 💀

Anyone got any functional open ai or gemini(NANO BANANA) api key ?

aint no way cuh, gemini has more than enough api cred for free daily than u will ever need and ur still scouring on a 3 year old failure of a thread looking for gemini api keys?

…

On Tue, Oct 21, 2025 at 12:16 PM Sonu Prasad ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Anyone got any functional open ai or gemini(NANO BANANA) api key ? — Reply to this email directly, view it on GitHub <https://gist.github.com/win3zz/0a1c70589fcbea64dba4588b93095855#gistcomment-5815599> or unsubscribe <https://github.com/notifications/unsubscribe-auth/BGTTRS7PZBKZTFDNA36QEZD3YZS6BBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLKJRGQZDKMZWGEYDDJDOMFWWLKDBMN2G64S7NFSIFJLWMFWHKZNEORZHKZNENZQW2ZN3ORUHEZLBMRPXAYLSORUWG2LQMFXHIX3BMN2GS5TJOR4YFJLWMFWHKZNEM5UXG5FENZQW2ZNLORUHEZLBMRPXI6LQMWWHG5LCNJSWG5C7OR4XAZNLI5UXG5CDN5WW2ZLOOSTHI33QNFRXHEMCUR2HS4DFURTWS43UUV3GC3DVMWUTCMRTGA2TEOJQG6TXI4TJM5TWK4VGMNZGKYLUMU> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

Dawg I'm in school rn and I was looking at a tt before I got here for help but I couldn't send it to myself in time, anyone know what to do to get to nohas tutouring link? Help me out if you do 🙏

I also noticed that basically all openai keys have "T3BlbkFJ" in it which is the base64 encoding of OpenAI

I also noticed that basically all openai keys have "T3BlbkFJ" in it which is the base64 encoding of OpenAI

Does this project still work ? I heard most keys dont work ... what do you think ?

FREE API KEYS

sk-abcdef1234567890abcdef1234567890abcdef12
sk-1234567890abcdef1234567890abcdef12345678
sk-abcdefabcdefabcdefabcdefabcdefabcdef12
sk-7890abcdef7890abcdef7890abcdef7890abcd
sk-1234abcd1234abcd1234abcd1234abcd1234abcd
sk-abcd1234abcd1234abcd1234abcd1234abcd1234
sk-5678efgh5678efgh5678efgh5678efgh5678efgh
sk-efgh5678efgh5678efgh5678efgh5678efgh5678
sk-ijkl1234ijkl1234ijkl1234ijkl1234ijkl1234
sk-mnop5678mnop5678mnop5678mnop5678mnop5678
sk-qrst1234qrst1234qrst1234qrst1234qrst1234
sk-uvwx5678uvwx5678uvwx5678uvwx5678uvwx5678
sk-1234ijkl1234ijkl1234ijkl1234ijkl1234ijkl
sk-5678mnop5678mnop5678mnop5678mnop5678mnop
sk-qrst5678qrst5678qrst5678qrst5678qrst5678
sk-uvwx1234uvwx1234uvwx1234uvwx1234uvwx1234
sk-1234abcd5678efgh1234abcd5678efgh1234abcd
sk-5678ijkl1234mnop5678ijkl1234mnop5678ijkl
sk-abcdqrstefghuvwxabcdqrstefghuvwxabcdqrst
sk-ijklmnop1234qrstijklmnop1234qrstijklmnop
sk-1234uvwx5678abcd1234uvwx5678abcd1234uvwx
sk-efghijkl5678mnopabcd1234efghijkl5678mnop
sk-mnopqrstuvwxabcdmnopqrstuvwxabcdmnopqrst
sk-ijklmnopqrstuvwxijklmnopqrstuvwxijklmnop
sk-abcd1234efgh5678abcd1234efgh5678abcd1234
sk-1234ijklmnop5678ijklmnop1234ijklmnop5678
sk-qrstefghuvwxabcdqrstefghuvwxabcdqrstefgh
sk-uvwxijklmnop1234uvwxijklmnop1234uvwxijkl
sk-abcd5678efgh1234abcd5678efgh1234abcd5678
sk-ijklmnopqrstuvwxijklmnopqrstuvwxijklmnop
sk-1234qrstuvwxabcd1234qrstuvwxabcd1234qrst
sk-efghijklmnop5678efghijklmnop5678efghijkl
sk-mnopabcd1234efghmnopabcd1234efghmnopabcd
sk-ijklqrst5678uvwxijklqrst5678uvwxijklqrst
sk-1234ijkl5678mnop1234ijkl5678mnop1234ijkl
sk-abcdqrstefgh5678abcdqrstefgh5678abcdqrst
sk-ijklmnopuvwx1234ijklmnopuvwx1234ijklmnop
sk-efgh5678abcd1234efgh5678abcd1234efgh5678
sk-mnopqrstijkl5678mnopqrstijkl5678mnopqrst
sk-1234uvwxabcd5678uvwxabcd1234uvwxabcd5678
sk-ijklmnop5678efghijklmnop5678efghijklmnop
sk-abcd1234qrstuvwxabcd1234qrstuvwxabcd1234
sk-1234efgh5678ijkl1234efgh5678ijkl1234efgh
sk-5678mnopqrstuvwx5678mnopqrstuvwx5678mnop
sk-abcdijkl1234uvwxabcdijkl1234uvwxabcdijkl
sk-ijklmnopabcd5678ijklmnopabcd5678ijklmnop
sk-1234efghqrstuvwx1234efghqrstuvwx1234efgh
sk-5678ijklmnopabcd5678ijklmnopabcd5678ijkl
sk-abcd1234efgh5678abcd1234efgh5678abcd1234
sk-ijklmnopqrstuvwxijklmnopqrstuvwxijklmnop

seriously the vibe coder 😂 as a full stack dev i know the consequences if even one is leaked and one more thing i have tested some anthropic api keys and they are working

seriously the vibe coder 😂 as a full stack dev i know the consequences if even one is leaked and one more thing i have tested some anthropic api keys and they are working

here is the search param for it

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND ("sk-ant-" AND (anthropic OR claude))