secret-scanner
Detects leaked Cloudflare API tokens in code or diffs to prevent accidental exposure.
Detects leaked DigitalOcean API tokens in code or diffs to prevent accidental exposure.
Detects leaked Discord bot tokens in code or diffs to prevent accidental exposure.
Detects leaked GitHub tokens (e.g., ghp_, fine-grained) in code or diffs to prevent accidental exposure.
Detects leaked Google API keys (e.g., AIza..., GOCSPX-...) in code or diffs to prevent accidental exposure.
Detects leaked Mailgun API keys in code or diffs to prevent accidental exposure.
Detects leaked MongoDB connection strings (e.g., mongodb+srv:// with embedded passwords) in code or diffs to prevent accidental exposure.
Detects leaked MySQL connection strings (e.g., mysql:// with embedded passwords) in code or diffs to prevent accidental exposure.
Detects leaked npm tokens (e.g., npm_...) in code or diffs to prevent accidental exposure.
Detects leaked OpenAI API keys (e.g., sk-...) in code or diffs to prevent accidental exposure.
Detects leaked PyPI tokens in code or diffs to prevent accidental exposure.
Detects leaked Redis connection strings (e.g., redis:// with embedded passwords) in code or diffs to prevent accidental exposure.
Detects leaked SendGrid API keys in code or diffs to prevent accidental exposure.
Detects leaked Shopify API keys in code or diffs to prevent accidental exposure.
Detects leaked Slack tokens (e.g., xox...) in code or diffs to prevent accidental exposure.
Detects leaked Square API keys in code or diffs to prevent accidental exposure.
Detects leaked Stripe API keys (e.g., sk_live_...) in code or diffs to prevent accidental exposure.
Detects leaked Telegram bot tokens in code or diffs to prevent accidental exposure.
Detects leaked Twilio API keys in code or diffs to prevent accidental exposure.
Detects leaked HashiCorp Vault tokens in code or diffs to prevent accidental exposure.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@secret-scannerscan this code change for secrets"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
secret-scanner 🔐
Catch leaked secrets in a diff/file before you commit, push or open a PR.
secret-scanner scans a blob of code, text or a unified git diff for leaked secrets and returns a CLEAN / REVIEW / LEAK verdict. Every finding includes the secret type, provider, severity and line:column, a masked excerpt (the full secret is never echoed), and a remediation note.
Detection is 100% local — the content you scan is never sent anywhere.
MCP server for Claude / Cursor / any agent:
npx -y secret-scanner-mcpPay-per-call x402 API:
POST /pro/scan($0.02 USDC on Base, no sign-up)Free HTTP API:
POST /scan(rate-limited)
What it catches
Category | Examples |
🔑 Provider keys | AWS ( |
📜 Private keys | RSA / EC / DSA / OpenSSH / PGP / encrypted private-key blocks, GCP service-account JSON |
🗄️ Connection strings |
|
🎫 Tokens | JWTs, generic |
🎲 Unknown secrets | high Shannon-entropy base64/hex blobs that look like credentials even without a known prefix |
Related MCP server: credential-free
MCP server (free)
{
"mcpServers": {
"secret-scanner": { "command": "npx", "args": ["-y", "secret-scanner-mcp"] }
}
}Tool: scan_for_secrets — params content (string, required), deep (boolean, optional; adds offline format-validity hints).
Or connect over HTTP at POST /mcp (free).
HTTP API
# Free (rate-limited 30/h/IP)
curl -X POST https://secret-scanner.vercel.app/scan \
-H 'content-type: application/json' \
-d '{"content":"AWS_KEY=AKIAIOSFODNN7EXAMPLE"}'
# Paid, deep, unlimited (x402 — agent pays $0.02 USDC automatically)
curl -X POST https://secret-scanner.vercel.app/pro/scan \
-H 'content-type: application/json' \
-d '{"content":"<your diff>"}'Example response:
{
"verdict": "LEAK",
"score": 80,
"summary": "1 potential secret(s) across 1 line(s): AWS×1. Verdict LEAK.",
"lines": 1,
"findings": [
{
"rule": "aws-access-key-id",
"title": "AWS Access Key ID",
"provider": "AWS",
"severity": "high",
"line": 1,
"column": 9,
"match": "AKIA…MPLE (20 chars)",
"remediation": "Rotate the IAM key immediately in the AWS console and remove it from history."
}
],
"meta": { "deep": false, "bytes": 28, "truncated": false, "rulesEvaluated": 35, "entropyFindings": 0 }
}Why pay-per-call?
The free tier is rate-limited. The /pro/scan route is gated by x402: your agent pays $0.02 USDC per call on Base automatically — no account, no API key. It settles on-chain to the operator's receiving wallet. Deep mode adds offline structural-validity hints for formats whose shape can be verified without any network call.
Privacy
The scan runs in-process. The content you submit is not stored and not forwarded to any third party. Secrets in findings are always masked (AKIA…MPLE (20 chars)), never returned in full.
License
MIT
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Tools
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Baneado98/secret-scanner'
If you have feedback or need assistance with the MCP directory API, please join our Discord server