Show HN: KeyLeak Detector – Scan websites for exposed API keys and secrets

The problem: Modern web development moves fast. You're vibe-coding, shipping features, and suddenly your AWS keys are sitting in a <script> tag visible to anyone who opens DevTools. I've personally witnessed this happen to at least 3-4 production apps in the past year alone.

KeyLeak Detector runs through your site (headless browser + network interception) and checks for 50+ types of leaked secrets: AWS/Google keys, Stripe tokens, database connection strings, LLM API keys (OpenAI, Claude, etc.), JWT tokens, and more.

It's not perfect, there are false positives but it's caught real issues in my own projects. Think of it as a quick sanity check before you ship.

Use case: Run it on staging before deploying, or audit your existing sites. Takes ~30 seconds per page.

MIT licensed, for authorized testing only.

https://github.com/Amal-David/keyleak-detector