SecretLens

License: MIT

SecretLens is a web UI for validating API keys, tokens, and credentials across cloud and SaaS providers.

Why SecretLens

• Single pane to validate many credential types during triage and incident response.
• Deterministic validation flows with explicit response visibility.
• Script-backed JWT decoding and GCP service-account validation support.
• Grouped endpoint variants per provider for faster testing.

Prerequisites

• Node.js 18+
• npm
• Python 3 (JWT/GCP validators)

Local development

npm run install-all
pip3 install -r backend/requirements.txt
cp env.example .env
npm run dev

• UI: http://localhost:3000
• API: http://localhost:3001

Production build

npm run install-all
npm run build
NODE_ENV=production CORS_ORIGIN=http://localhost:3001 npm start

Supported Services

Canonical source of truth: backend/secrets-data.js.

Service	Credential type(s)	Validation method
Slack	webhook, bot/user token, users.info	curl
GitHub	user, repos	curl
AWS	access key + secret key	aws_cli
GCP	Maps key, Geolocation key, service account JSON	curl, python
OpenAI	models, me, organizations	curl
Cloudflare	token verify, user, zones	curl
Hugging Face	whoami, models, spaces, datasets	curl
Grafana	user, org	curl
New Relic	insert key, license key	curl
Okta	users, apps	curl
NPM	user, whoami, org	curl
Opsgenie	account, users, teams	curl
PagerDuty	users/me, abilities	curl
Postman	me, accounts	curl
Razorpay	payments, orders, customers	curl
DigitalOcean	account, ssh keys	curl
Communication	Facebook, Twitter, Telegram, Twilio, SendGrid, Mailgun, Freshdesk, Infobip	curl
Payments	Stripe	curl
Devtools	GitLab, CircleCI, Bitbucket, Jira, Sentry, WakaTime, Heroku, Dropbox, HubSpot, Shodan, Mapbox, Spotify, YouTube	curl
JWT utilities	JWT decode, Honeycomb auth probe	jwt, curl

How to add a new validator

1. Add a new entry in backend/secrets-data.js.
2. If needed, reuse or introduce a group value so related endpoints stay grouped in the UI.
3. Ensure the entry has id, name, group (optional), category, fields[], and validationMethod (type, and command or url).
4. Use one of the supported validator types handled in backend/server.js (curl, aws_cli, python, jwt, url).
5. Open issues in GitHub Issues and include validator details (service, fields, method, and expected success/failure indicators).

Troubleshooting

• AWS CLI in container: Alpine image installs AWS CLI via apk (aws-cli, v1 package).
• arm64 Docker build issues: use docker buildx build --platform linux/arm64,linux/amd64 .
• Port conflicts: ensure ports 3000 and 3001 are free.
• Missing .env: copy env.example to .env before running compose or local env-based flows.
• AWS CLI install failures in Docker: verify network access and retry build.

Contributing

See CONTRIBUTING.md.

Contact

Bug reports / feature requests: GitHub Issues. Security: see SECURITY.md (private disclosure via GitHub Security Advisories).

Secure & Responsible Use
SecretLens runs commands using credentials you supply. Use only against credentials you own or are authorized to test. See SECURITY.md.

Maintainers

Maintained by Groww Security.