KeyTrace scans public sources for credentials your developers accidentally exposed — including through AI tools like ChatGPT, Claude, and Gemini. Search your domain and see exactly what leaked, where, and how to fix it.
Free to check. No credit card required.
GitHub, Pastebin, Reddit, HuggingFace and more — scanned around the clock for credential patterns.
Domains, repo names, and context clues link each leak to the company it likely belongs to.
Verify your domain, see everything tied to it, and go straight to the exposure to rotate the credential.
— A live payment-processor secret key, publicly exposed in a fintech startup's example config file.
— Cloud root credentials committed to a public repo by a health-tech startup's contractor.
— An LLM API key with a $50,000/month usage limit, pasted into a public notebook.
Real findings, anonymized. We do not display credential values to anyone, ever — see our FAQ.
Know what leaked before an attacker finds it.
$2,500/mo
$8,000/mo
Yes. We only scan sources that are already public — the same repos, pastes, and posts anyone (including attackers) can already see. We don't access private systems or bypass any access controls.
We store an encrypted copy solely to detect duplicates and re-check whether a credential is still live. We never display, decrypt for viewing, or hand over a usable credential value to any customer, at any plan — including you. What you get is the location of the exposure so you can rotate it yourself.
Great news — and we keep scanning. You'll get an alert the moment something new shows up tied to your domain.
No. Full details are only visible after you verify DNS control of your domain and are on a paid plan. The free tier only shows a count.