UnsecuredAPIKeys Lite

Thank you to everyone who has starred this project! Your support helps raise awareness about API key security and encourages responsible disclosure practices.

Full Version Available: www.UnsecuredAPIKeys.com

The full version offers: Web UI, all API providers, community features, and more.

A command-line tool for discovering and validating exposed API keys on GitHub. This lite version focuses on educational and security awareness purposes.

Lite Version Limits

| Feature | Lite (This Repo) | Full Version | |---------|------------------|--------------| | Search Provider | GitHub only | GitHub, GitLab, SourceGraph | | API Providers | OpenAI, Anthropic, Google | 15+ providers | | Valid Key Cap | 50 keys | Higher limits | | Interface | CLI | Web UI + API | | Database | SQLite (local) | PostgreSQL |

⚠️ Educational Purpose Only

This tool is for educational and security awareness purposes only.

• Learn how API keys get exposed in public repositories
• Understand the importance of secret management
• Report exposed keys responsibly to repository owners
• Never use discovered keys for unauthorized access

Do NOT publish your database or results publicly. This would expose working API keys to malicious actors.

Quick Start

1. Download

Download the latest release for your platform from Releases:

| Platform | File | |----------|------| | Windows | unsecuredapikeys-win-x64.exe | | Linux | unsecuredapikeys-linux-x64 |

No .NET runtime required - these are self-contained executables.

2. Run

Windows:

.\unsecuredapikeys-win-x64.exe

Linux:

chmod +x unsecuredapikeys-linux-x64
./unsecuredapikeys-linux-x64

3. Configure GitHub Token

On first run, go to Configure Settings > Set GitHub Token.

Create a token at: https://github.com/settings/tokens Required scope: public_repo

4. Start Searching

• Start Scraper: Searches GitHub for exposed API keys (runs continuously)
• Start Verifier: Maintains up to 50 valid keys (re-checks as needed)
• View Status: Shows current statistics
• Export Keys: Export to JSON or CSV

Building from Source (Optional)

If you prefer to build from source:

git clone https://github.com/TSCarterJr/UnsecuredAPIKeys-OpenSource.git
cd UnsecuredAPIKeys-OpenSource
dotnet build
cd UnsecuredAPIKeys.CLI
dotnet run

How It Works

Scraper

1. Uses your GitHub token to search for common API key patterns
2. Extracts potential keys using regex patterns for OpenAI, Anthropic, and Google
3. Stores discovered keys in a local SQLite database

Verifier

1. Validates discovered keys against the actual provider APIs
2. Maintains exactly 50 valid keys (lite limit)
3. Re-checks existing valid keys periodically
4. When a key becomes invalid, verifies new ones until back to 50

Project Structure

UnsecuredAPIKeys-OpenSource/
├── UnsecuredAPIKeys.CLI/         # Main CLI application
├── UnsecuredAPIKeys.Data/        # SQLite database layer
├── UnsecuredAPIKeys.Providers/   # API validation providers
├── unsecuredapikeys.db           # SQLite database (auto-created)
└── README.md

Prerequisites

• .NET 10 SDK - Download here
• GitHub Personal Access Token - Create here
• Platform: Windows, macOS, or Linux

Supported Providers (Lite)

| Provider | Pattern Examples | |----------|------------------| | OpenAI | sk-proj-*, sk-or-v1-* | | Anthropic | sk-ant-api* | | Google AI | AIzaSy* |

Configuration

Copy appsettings.example.json to appsettings.json and configure:

{
  "GitHub": {
    "Token": "ghp_YOUR_TOKEN"
  },
  "Database": {
    "Path": "unsecuredapikeys.db"
  }
}

Or configure directly via the CLI menu.

Database

The SQLite database (unsecuredapikeys.db) is auto-created on first run in the working directory.

| Action | How | |--------|-----| | Location | Same folder as the executable | | Reset | Delete unsecuredapikeys.db and restart | | Backup | Copy the .db file | | View data | Use any SQLite browser (e.g., DB Browser for SQLite) |

Search Queries

On first run, default search queries are automatically seeded:

• sk-proj-, sk-or-v1-, OPENAI_API_KEY (OpenAI)
• sk-ant-api, ANTHROPIC_API_KEY (Anthropic)
• AIzaSy, GOOGLE_API_KEY (Google)

The scraper rotates through these queries automatically.

Rate Limiting

Built-in delays prevent API abuse:

| Operation | Delay | |-----------|-------| | Between searches | 5 seconds | | Between verifications | 1 second | | Batch size | 10 keys |

GitHub's API allows ~30 searches/minute with authentication.

Troubleshooting

| Issue | Solution | |-------|----------| | "No GitHub token configured" | Go to Configure Settings > Set GitHub Token | | "Rate limit exceeded" | Wait 60 seconds, or use a different token | | Build fails | Ensure .NET 10 SDK is installed: dotnet --version | | No keys found | Check your token has public_repo scope | | Database locked | Close other apps using the .db file |

Legal & Ethical Use

• Educational Purpose: This tool demonstrates API security vulnerabilities
• Responsible Use: Only use for legitimate security research
• No Abuse: Do not use discovered keys for unauthorized access
• Compliance: Follow all applicable laws and terms of service

License

This project uses a custom attribution-required license based on MIT.

Attribution Required

Any use of this code requires visible attribution:

• Display: "Based on UnsecuredAPIKeys Open Source"
• Link to: https://github.com/TSCarterJr/UnsecuredAPIKeys-OpenSource
• Must be visible in UI/documentation

See LICENSE for full details.

Legacy UI Version

Looking for the original Web UI + WebAPI architecture? Check the legacy_ui branch.

Note: The legacy branch is no longer actively maintained. For the full-featured web experience, use www.UnsecuredAPIKeys.com.

Full Version

For higher limits, more providers, web interface, and community features:

www.UnsecuredAPIKeys.com

---

Remember: Use responsibly and in accordance with applicable laws.