Free tool

Secret leak scanner

Paste code, a config file, or a .env and find leaked keys, tokens, and passwords before they ship. It runs in your browser, so nothing you paste is ever uploaded.

Your code never leaves your browser. The scan runs right here on your device.

Built on the same leak patterns our own pre-push checks use. Nothing is stored.

What we look for

The leaks that actually hurt

These are the credential types that get scraped, abused, and turned into a bad day. We flag them, mask them, and tell you what to do next.

Cloud and provider keys

AWS access keys, Google API keys, and OAuth tokens. These unlock real infrastructure and real bills, and they get scraped from public repos within minutes of being pushed.

Payment and platform tokens

Stripe secret and webhook keys, GitHub and GitLab access tokens, and Slack tokens. One of these in the wrong place can drain an account or expose your whole codebase.

Private keys and database URLs

SSH and TLS private key blocks, and database connection strings with the password baked right into the URL. Both are full-access credentials hiding in plain sight.

Hard-coded passwords and high-entropy strings

Assignments like password = "..." and long random-looking hex or base64 values that look like keys. We flag them so you can decide, and we never echo the value back.

Questions

Secret scanning, answered

Does my code get uploaded anywhere?
No. The scan runs entirely in your browser using JavaScript on your own device. What you paste is never sent to UpperLevel or anyone else. You can open your network tab and watch: scanning makes no request at all.
Is this really free?
Yes, completely. No signup, no trial, no credit card. We built it because these are the same leak patterns our own pre-push checks catch internally, and every developer is exposed to them.
It found something. What do I do now?
Treat anything real as compromised. Rotate the credential at its source right away, then remove it from your code and load it from a secret store or environment variable instead. Leave your email after a scan and a real engineer will help you rotate safely.
It found nothing. Am I safe?
A clean result is a good sign, not a guarantee. New token formats appear constantly, and a leak can sit in a file you did not paste. Ongoing protection comes from a host that watches for this, not a one-time check.

A leak is a symptom. Watchful hosting is the fix.

Finding a leaked key once is good. Never shipping one again is better. UpperLevel sets up secret handling properly, and a real person answers in under five minutes when something needs eyes.

Get StartedSee how the free move works