A Chrome extension that scans every page you visit for API keys, tokens, and credentials. 80+ patterns. 10 attack surfaces. Zero config.
Install once. Every page you visit is automatically scanned for leaked secrets across all attack surfaces.
Covers cloud providers, payment platforms, communication tools, AI services, databases, SaaS, infrastructure keys, crypto secrets, and generic patterns.
Scans script URLs, inline scripts, external JS, meta tags, hidden form fields, data attributes, HTML comments, URL parameters, web storage, and network responses.
Calculates Shannon entropy for detected strings. High-entropy values get flagged as likely secrets, reducing false positives on random-looking tokens.
Pure vanilla JavaScript. No external libraries, no build step, no framework. Lightweight, fast, and auditable. Just the extension code and nothing else.
Built on the latest Chrome extension architecture with a service worker. Future-proof, secure, and compatible with all modern Chromium browsers.
Professional dashboard with filtering, sorting, and search. Export findings as JSON or CSV. Badge counter on the extension icon shows live results.
From cloud provider keys to cryptocurrency wallet seeds, keyFinder recognizes credentials across the entire modern stack.
Every page load triggers a comprehensive scan across all the places where secrets commonly leak.
Examines URLs in script tags for embedded API keys and tokens passed as query parameters.
Parses all inline JavaScript blocks on the page for hardcoded credentials and secret assignments.
Fetches and analyzes external JavaScript files loaded by the page for leaked keys and tokens.
Inspects meta tag content attributes where configuration keys and tokens are sometimes exposed.
Scans hidden input fields that developers use to pass tokens and API keys through forms.
Checks HTML data-* attributes where frontend frameworks often store configuration secrets.
Extracts and scans HTML comments for accidentally committed credentials and debug tokens.
Analyzes query strings and URL fragments for API keys and authentication tokens passed in the clear.
Monitors localStorage and sessionStorage for secrets stored client-side by web applications.
Intercepts XHR and Fetch responses to detect secrets returned by APIs and backend services.
Two ways to install. Both take less than 60 seconds. No build tools required.
chrome://extensionsgit clone https://github.com/momenbasel/keyFinder.gitchrome://extensionskeyFinder directoryInstall keyFinder and let it passively scan every page you visit. No configuration needed.