The API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
Facebook Access Token
Github client id and client secret
curl ''
Twitter (X) API Secret
curl -u 'API key:API secret key' --data 'grant_type=client_credentials' ''
Twitter (X) Bearer Token
curl --request GET --url --header 'authorization: Bearer TOKEN'
Gitlab Personal Access Token
curl "<your_access_token>"
HockeyApp API Token
curl -H "X-HockeyAppToken: ad136912c642076b0d1f32ba161f1846b2c"
IIS Machine Keys
That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification.
- machineKey validationKey and decryptionKey
- __VIEWSTATE cookies
Example of a machineKey from
<machineKey validationKey="87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC" decryptionKey="E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7" validation="SHA1" />
- Is a tool that let you find keys while surfing the web:
- Is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid:
- Find credentials all over the place:
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo /~
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
trufflehog git /~
trufflehog github --endpoint --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2
- General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets:
- Use these templates to test an API token against many API service endpoints:
nuclei -t token-spray/ -var token=token_list.txt
- A library for detecting known or weak secrets on across many platforms:
python examples/ --url
python examples/ eyJhbGciOiJIUzI1NiJ9.eyJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkJhZFNlY3JldHMiLCJleHAiOjE1OTMxMzM0ODMsImlhdCI6MTQ2NjkwMzA4M30.ovqRikAo_0kKJ0GVrAwQlezymxrLGjcEiW_s3UJMMCo
python ./badsecrets/examples/ --viewstate /wEPDwUJODExMDE5NzY5ZGQMKS6jehX5HkJgXxrPh09vumNTKQ== --generator EDD8C9AE
python ./badsecrets/examples/ --url http://vulnerablesite/Telerik.Web.UI.DialogHandler.aspx
python ./badsecrets/examples/ --url https://localhost/
- Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more: