This project provides a command-line tool for discovering and validating exposed API keys on GitHub, aimed at security researchers and developers for educational purposes. It helps users understand common API key exposure vectors and promotes responsible disclosure practices by demonstrating how keys can be found in public repositories.

How It Works

The tool operates in two main modes: a scraper that uses a GitHub token to search for common API key patterns (OpenAI, Anthropic, Google) via regex and stores findings in a local SQLite database, and a verifier that validates these discovered keys against the respective provider APIs. This approach allows for practical demonstration of security vulnerabilities without requiring complex setup or extensive knowledge of API security.

Quick Start & Requirements

• Install: Download pre-compiled executables for Windows or Linux from the project's Releases page. No .NET runtime is required for these self-contained binaries.
• Prerequisites: A GitHub Personal Access Token with public_repo scope is required for searching. Building from source requires the .NET 10 SDK.
• Configuration: Configure the GitHub token and database path via the CLI menu or by copying and editing appsettings.example.json to appsettings.json.
• Links: GitHub token creation: https://github.com/settings/tokens.

Highlighted Details

• CLI-only interface for the Lite version.
• Limited to searching GitHub repositories only.
• Supports validation for OpenAI, Anthropic, and Google AI providers.
• Valid key cap is set at 50 keys.
• Strictly for educational and security awareness purposes.

Maintenance & Community

A full-featured version with a Web UI, broader provider support, and higher limits is available at www.UnsecuredAPIKeys.com. The legacy UI branch is no longer actively maintained. No specific community channels (e.g., Discord, Slack) are listed.

Licensing & Compatibility

This project uses a custom MIT-based license requiring visible attribution. Any use of the code must include the display text "Based on UnsecuredAPIKeys Open Source" with a link to the project's GitHub repository. Commercial use compatibility is not explicitly detailed beyond this attribution requirement.

Limitations & Caveats

The "Lite" version is intentionally limited in scope, supporting only GitHub searches, a few API providers, and a small cap on valid keys. It is strictly intended for educational use and security awareness, prohibiting unauthorized access or public sharing of discovered keys.