Your API keys are already on GitHub. We can prove it.

KeyTrace scans public sources for credentials your developers accidentally exposed — including through AI tools like ChatGPT, Claude, and Gemini. Search your domain and see exactly what leaked, where, and how to fix it.

Free to check. No credit card required.

How it works

1

We scan continuously

GitHub, Pastebin, Reddit, HuggingFace and more — scanned around the clock for credential patterns.

2

We attribute automatically

Domains, repo names, and context clues link each leak to the company it likely belongs to.

3

You search & rotate

Verify your domain, see everything tied to it, and go straight to the exposure to rotate the credential.

What we found last week

— A live payment-processor secret key, publicly exposed in a fintech startup's example config file.

— Cloud root credentials committed to a public repo by a health-tech startup's contractor.

— An LLM API key with a $50,000/month usage limit, pasted into a public notebook.

Real findings, anonymized. We do not display credential values to anyone, ever — see our FAQ.

Pricing

Know what leaked before an attacker finds it.

Free

$0

  • Leak count for your verified domain
  • Risk breakdown summary
Get started
Most popular

Pro

$2,500/mo

  • Full search results
  • Exposure location + context for every leak
  • Email alerts on new leaks
Upgrade to Pro

Enterprise

$8,000/mo

  • Everything in Pro
  • API access & SSO
  • Compliance reports
  • Private-repo scanning
Talk to sales

FAQ

Is this legal?

Yes. We only scan sources that are already public — the same repos, pastes, and posts anyone (including attackers) can already see. We don't access private systems or bypass any access controls.

Do you store or show my keys?

We store an encrypted copy solely to detect duplicates and re-check whether a credential is still live. We never display, decrypt for viewing, or hand over a usable credential value to any customer, at any plan — including you. What you get is the location of the exposure so you can rotate it yourself.

What if nothing is found?

Great news — and we keep scanning. You'll get an alert the moment something new shows up tied to your domain.

Can anyone see my company's leaks?

No. Full details are only visible after you verify DNS control of your domain and are on a paid plan. The free tier only shows a count.