Scan JavaScript files for API keys, tokens, and secrets

>https://

Why Supaleak

The problem we solve

Modern development reality

development teams are shipping faster than ever. , visual coders, low-code tools, and rapid prototyping mean code is deployed in hours, not weeks.

you know the drill: ship fast, break things, fix later.

but those secrets? they don't wait for your next sprint.

while this speed enables innovation, it also increases the risk of exposing sensitive credentials—api keys, tokens, and secrets—in javascript files.

The solution

supaleak provides continuous monitoring of your production websites, automatically scanning javascript files for exposed secrets after launch. catch leaks before attackers do, minimize security risks, and protect your infrastructure—all while maintaining your development velocity.

Free Supabase Scanner

Scan your website for exposed Supabase credentials and check RLS configuration

Free • 2 scans per day • No account required

https://

How It Works

Simple workflow

01

Add Website

Add single URL or bulk import multiple websites from file (.txt or .csv)

02

Scan

Automatically scans JavaScript files using Kingfisher rules to detect API keys, tokens, and secrets

03

ValidatePRO

Validate detected secrets to check if they're active and identify exposed sensitive data (Pro feature)

04

Schedule & MonitorPRO

set up automated scans with scheduling and receive email notifications when new secrets are detected (Pro feature)

Detect secrets from

AWS
Slack
Supabase
GitHub
Stripe
Google Cloud
Azure
Firebase
SendGrid
Twilio
DigitalOcean
Vercel
MongoDB
PostgreSQL
Redis
OpenAI
Anthropic
Shopify
PayPal
AWS
Slack
Supabase
GitHub
Stripe
Google Cloud
Azure
Firebase
SendGrid
Twilio
DigitalOcean
Vercel
MongoDB
PostgreSQL
Redis
OpenAI
Anthropic
Shopify
PayPal

Why Validate?

PRO

Reduce false positives and focus on real vulnerabilities

Scans detect potential secrets, but many are false positives—test keys, example values, or already-revoked tokens. Validation checks if secrets are actually active and exposed, so you only fix what matters.

8 secrets
Scan finds secrets
Supaleak validates
3 real
5 false
False positives removed
Fix real issues

Validation tests each detected secret to verify if it's actually active and exposed. This eliminates false positives—test keys, example values, and revoked tokens—so you only spend time fixing real security issues.

Why Scheduled Scans?

PRO

Continuous protection for your production sites

You're constantly pushing code to production. While vibe coding, it's easy to accidentally leak secrets in JavaScript files. One-time scans miss new deployments, but scheduled scans catch leaks as they happen.

git push
Deploy
Time passes
Supaleak scans
Alert sent

Scheduled scans run automatically at your chosen intervals (daily, weekly, or custom), ensuring you're notified immediately when secrets appear in production—even if you deployed hours ago.

Pricing

Choose your plan

free

$0/month
  • 1 website
  • 3 scans total
  • 1 scheduled scan
  • ×Bulk import
  • ×CSV export
PRO

pro

$20/month
  • Unlimited websites
  • Unlimited scans
  • Unlimited scheduled scans
  • Bulk import
  • CSV export
  • Email notifications