win3zz/GitHub-Leaked-API-Keys-and-Secrets.md

Last active October 26, 2025 02:39

Star (600) You must be signed in to star a gist
Fork (165) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/win3zz/0a1c70589fcbea64dba4588b93095855.js"></script>
Save win3zz/0a1c70589fcbea64dba4588b93095855 to your computer and use it in GitHub Desktop.

Raw

GitHub-Leaked-API-Keys-and-Secrets.md

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.

Search Syntax:

(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))

Examples:

1. OpenAI API keys

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND ("sk-" AND (openai OR gpt))

Update: We can use following refined regular expression to filters out most dummy keys:

... AND (/sk-[a-zA-Z0-9]{48}/ AND (openai OR gpt))

Special thanks to @fkulakov for the insightful contribution.

Screeenshot:

2. Github OAuth/App/Personal/Refresh Access Token

3. Slack Token

4. Google API key

5. Square OAuth/access token

6. Shopify shared secret, access token, private/custom app access token

Parameters Used

File Extensions

File Extension	Description
.xml	XML file format
.json	JSON (JavaScript Object Notation) file format
.properties	Properties file format used for configuration settings
.sql	SQL (Structured Query Language) file format used for database queries
.txt	Plain text file format
.log	Log file format used for recording events or activities
.tmp	Temporary file format
.backup	Backup file format
.bak	Backup file format
.enc	Encrypted file format
.yml	YAML (YAML Ain't Markup Language) file format used for configuration settings
.yaml	YAML (YAML Ain't Markup Language) file format used for configuration settings
.toml	TOML (Tom's Obvious, Minimal Language) file format used for configuration settings
.ini	INI (Initialization) file format used for configuration settings
.config	Configuration file format
.conf	Configuration file format
.cfg	Configuration file format
.env	Environment file format
.envrc	Environment file format specific to the Direnv tool
.prod	Production file format
.secret	Secret file format
.private	Private file format
.key	Key file format

Keynames

Keynames	Description
access_key	Variable name to store the key used for accessing a resource or service
secret_key	Variable name to store the key used for authentication or encryption
access_token	Variable name to store the token used for accessing an API or resource
api_key	Variable name to store the key used for accessing an API or service
apikey	Shortened version of "api_key"
api_secret	Variable name to store the secret key used for API authentication
apiSecret	An alternate of "api_secret"
app_secret	Variable name to store the secret key used for application authentication
application_key	Variable name to store the key used for identifying an application
app_key	Variable name to store the key used for identifying an application
appkey	Shortened version of "app_key"
auth_token	Variable name to store the token used for authentication or authorization
authsecret	Variable name to store the secret key used for authentication or authorization

Other Useful Tools:

Online IDE Search: https://redhuntlabs.com/online-ide-search/
Keyhacks on GitHub: https://github.com/streaak/keyhacks
Google Hacking Database: https://www.exploit-db.com/google-hacking-database

Author

win3zz commented Dec 6, 2023

returns error exceeds 256 characters /more that 5 operators disallowed

@accessor-io I just tried it and no such errors were found. Please try again, and make sure you are using the operators correctly.

Author

win3zz commented Dec 6, 2023

hi. very good. can help me more page limited 5 pages. thanks.

@lolminerxmrig The 5-page limit is a known issue on GitHub, and the GitHub development team is aware of it and is actively working to address the issue. You can review the ongoing discussions about this matter on the GitHub community forum.

It should have been fixed earlier, but I don't know why they're taking this much time.

fkulakov commented Dec 27, 2023

For openai api_keys, you can use this regular expression to filter out most dummies:

AND (/sk-[a-zA-Z0-9]{48}/ AND (openai OR gpt))

instead of

AND ("sk-" AND (openai OR gpt))

Author

win3zz commented Dec 29, 2023

@fkulakov That's c00l! Thank you for sharing. I updated this gist.

ghost commented Aug 19, 2024

THANKS <3

TriDev-Studios commented Aug 19, 2024

not working anymore, I get error too many AND OR

Author

win3zz commented Aug 20, 2024

@TriDev-Studios are you sure?? Working fine for me:

Ve2s4 commented Sep 8, 2024

Create a list of the leaked secret keys and then run them through this function to quickly check which ones are valid.

keys = [
secret keys here...
]

for key, i in zip(keys, range(len(keys))):
    try:
        client = OpenAI(api_key=key)
        chat_completion = client.chat.completions.create(
            messages=[
                {
                    "role": "user",
                    "content": "Say this is a test",
                }
            ],
            model="gpt-3.5-turbo",
        )
        print("response",i, chat_completion.choices[0].message.content)
    except Exception as e:
        print("error", i, str(e))
        continue

vassu-v commented Nov 3, 2024

could anybody give working keys cuz all the keys in search are old or fake they do not work

prawnydagrate commented Nov 10, 2024

could anybody give working keys cuz all the keys in search are old or fake they do not work

bro that's illegal you're not supposed to actually try to use these keys 💀

dickyindra commented Dec 2, 2024

could anybody give working keys cuz all the keys in search are old or fake they do not work

OpenAI will disable the API key that has been publicly leaked 😅

SynclonSec commented Dec 12, 2024

LMFAOOOOOOOOOOOO

mimi-netizen commented Jan 20, 2025

Most don't work, thank you though.

SynclonSec commented Jan 21, 2025

bc they disable it bruh

Darry1968 commented Feb 27, 2025 •

edited

Loading

Bro really said do secure coding not secure comments😭😭

Author

win3zz commented Feb 27, 2025

Bro really said do secure coding not secure comments😭😭

Locking door and leaving the key under the mat… with a sign pointing to it. haha

torcop commented Apr 7, 2025

when i paste the expression on search bar . browser seems stops working. how to make it right . please help

Steiner-254 commented Apr 7, 2025

Bro really said do secure coding not secure comments😭😭

Locking door and leaving the key under the mat… with a sign pointing to it. haha

Haha /:

Steiner-254 commented Apr 7, 2025

when i paste the expression on search bar . browser seems stops working. how to make it right . please help

your machine specifications might be weak, RAM e.t.c ... check on your internet connection too

torcop commented Apr 7, 2025

all keys are invalid . 5 paginated search page i explored :( what to do to practice.

RayyanNafees commented Apr 27, 2025

@torcop cuz most of them are already being exhausted by other ppl mining crypto transactions

jainilshah007 commented May 21, 2025

all Diamonds are mined

yashyadurai commented May 21, 2025

yes gng @jainilshah007

Nabeel-javed commented May 23, 2025

how to sort by latest

Abel-Padilla commented Jul 9, 2025

Do yall guys found some one that works?

w3villa-manish-chaudhary commented Aug 6, 2025

Here’s a Node.js script that takes a list of your keys, checks each against the OpenAI models API, and prints whether each key is VALID or INVALID:

import fetch from "node-fetch";

const keys = [
"xyz1234567890abcdefg", // Replace with your actual API keys
"abc9876543210fedcba", // Add more keys as needed
];

async function verifyKey(apiKey) {
try {
const res = await fetch("https://api.openai.com/v1/models", {
method: "GET",
headers: {
Authorization: Bearer ${apiKey}
}
});

if (res.status === 200) {
  return { key: apiKey, status: "✅ VALID" };
} else if (res.status === 401) {
  return { key: apiKey, status: "❌ INVALID" };
} else {
  return { key: apiKey, status: `⚠️ ERROR: ${res.status}` };
}

} catch (err) {
return { key: apiKey, status: ⚠️ ERROR: ${err.message} };
}
}

(async () => {
console.log("Checking API keys...\n");
for (const key of keys) {
const result = await verifyKey(key);
console.log(${result.key} -> ${result.status});
}
})();

jappanrana commented Sep 28, 2025

use this pattern for new api key pattern identification
/sk-proj-[a-zA-Z0-9_-]{100,}

hw630590 commented Oct 11, 2025 •

edited

Loading

congratulations, it's a NON SECRET KEY 💀

sonuprasad23 commented Oct 21, 2025

Anyone got any functional open ai or gemini(NANO BANANA) api key ?

SynclonSec commented Oct 26, 2025 via email

aint no way cuh, gemini has more than enough api cred for free daily than u will ever need and ur still scouring on a 3 year old failure of a thread looking for gemini api keys?

…

On Tue, Oct 21, 2025 at 12:16 PM Sonu Prasad ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Anyone got any functional open ai or gemini(NANO BANANA) api key ? — Reply to this email directly, view it on GitHub <https://gist.github.com/win3zz/0a1c70589fcbea64dba4588b93095855#gistcomment-5815599> or unsubscribe <https://github.com/notifications/unsubscribe-auth/BGTTRS7PZBKZTFDNA36QEZD3YZS6BBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLKJRGQZDKMZWGEYDDJDOMFWWLKDBMN2G64S7NFSIFJLWMFWHKZNEORZHKZNENZQW2ZN3ORUHEZLBMRPXAYLSORUWG2LQMFXHIX3BMN2GS5TJOR4YFJLWMFWHKZNEM5UXG5FENZQW2ZNLORUHEZLBMRPXI6LQMWWHG5LCNJSWG5C7OR4XAZNLI5UXG5CDN5WW2ZLOOSTHI33QNFRXHEMCUR2HS4DFURTWS43UUV3GC3DVMWUTCMRTGA2TEOJQG6TXI4TJM5TWK4VGMNZGKYLUMU> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

win3zz/GitHub-Leaked-API-Keys-and-Secrets.md

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

Search Syntax:

Examples:

Screeenshot:

Parameters Used

File Extensions

Keynames

Other Useful Tools:

win3zz commented Dec 6, 2023

Uh oh!

win3zz commented Dec 6, 2023

Uh oh!

fkulakov commented Dec 27, 2023

Uh oh!

win3zz commented Dec 29, 2023

Uh oh!

ghost commented Aug 19, 2024

Uh oh!

TriDev-Studios commented Aug 19, 2024

Uh oh!

win3zz commented Aug 20, 2024

Uh oh!

Ve2s4 commented Sep 8, 2024

Uh oh!

vassu-v commented Nov 3, 2024

Uh oh!

prawnydagrate commented Nov 10, 2024

Uh oh!

dickyindra commented Dec 2, 2024

Uh oh!

SynclonSec commented Dec 12, 2024

Uh oh!

mimi-netizen commented Jan 20, 2025

Uh oh!

SynclonSec commented Jan 21, 2025

Uh oh!

Darry1968 commented Feb 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

win3zz commented Feb 27, 2025

Uh oh!

torcop commented Apr 7, 2025

Uh oh!

Steiner-254 commented Apr 7, 2025

Uh oh!

Steiner-254 commented Apr 7, 2025

Uh oh!

torcop commented Apr 7, 2025

Uh oh!

RayyanNafees commented Apr 27, 2025

Uh oh!

jainilshah007 commented May 21, 2025

Uh oh!

yashyadurai commented May 21, 2025

Uh oh!

Nabeel-javed commented May 23, 2025

Uh oh!

Abel-Padilla commented Jul 9, 2025

Uh oh!

w3villa-manish-chaudhary commented Aug 6, 2025

Uh oh!

jappanrana commented Sep 28, 2025

Uh oh!

hw630590 commented Oct 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sonuprasad23 commented Oct 21, 2025

Uh oh!

SynclonSec commented Oct 26, 2025 via email

Uh oh!

Darry1968 commented Feb 27, 2025 •

edited

Loading

hw630590 commented Oct 11, 2025 •

edited

Loading