This tool is designed exclusively for:
- Security research and vulnerability disclosure
- Educational purposes
- Authorized security testing with explicit permission
Strictly prohibited:
- Unauthorized access to systems or data
- Exploiting discovered credentials
- Any malicious or illegal activities
By using this tool, you agree to responsibly disclose all findings to repository owners.
- Smart Detection - Regex patterns with entropy filtering to reduce false positives
- Live Validation - Verifies keys against actual APIs in real-time
- Auto-Reporting - Automatically creates GitHub issues for exposed keys
- Organized Output - Results saved by key type with timestamps
- Configurable Rate Limits - Adjust validation speed based on your API tier
- Shodan
- OpenAI
- OpenRouter
- Claude (Anthropic)
- Gemini
- GitHub
- xAI
- Rust 1.70 or later
- libcurl development libraries
# Ubuntu/Debian
sudo apt install libcurl4-openssl-dev
# macOS
brew install curl
# Fedora/RHEL
sudo dnf install libcurl-develgit clone https://github.com/code-zm/key_hunter.git
cd key_hunter
cargo build --releaseBinary will be located at target/release/key-hunter
Create a .env file:
# GitHub token for searching
GITHUB_TOKEN1=ghp_your_token_here
# GitHub token for creating issues (optional)
ISSUES_GITHUB_TOKEN=ghp_your_token_here# Search for keys and validate them
./target/release/key-hunter search --key-type shodan --validate
# Search all supported key types
./target/release/key-hunter search --key-type all --validate# Preview issues before creating them
./target/release/key-hunter report --dry-run
# Create GitHub issues for exposed keys
./target/release/key-hunter reportSee docs/usage.md for complete command reference and usage examples.
Available commands:
search- Search GitHub for exposed API keysvalidate- Validate keys from a filetest- Test a single keyreport- Create GitHub issues for exposed keyslist- List available detectors and validators
Rate Limits: Each validator has configurable rate limits based on API restrictions:
- OpenAI: 1000ms (60 RPM)
- Claude: 2000ms (30 RPM)
- Gemini: 2000ms (30 RPM)
- Shodan: 1000ms (60 RPM)
- xAI: 1000ms (60 RPM)
- OpenRouter: 3000ms (20 RPM)
- GitHub: 2000ms (30 RPM)
Rate limits can be customized in config/default.toml under the [validators] section.
GitHub Search Rate Limits:
- Authenticated: 30 requests/minute per token
- Unauthenticated: 10 requests/minute per IP
See docs/usage.md for complete configuration details.
Results are automatically organized:
results/
├── shodan/valid_keys_20251110_143022.json
├── openai/valid_keys_20251110_151500.json
└── claude/valid_keys_20251110_160000.json
Only valid keys are saved. Invalid or expired keys are not written to disk.
If you discover exposed keys:
- Immediately report to repository owner
- Do NOT use the keys for any purpose
- Do NOT publicly disclose until owner has time to respond
Key Hunter's report command automates step 1 by creating an issue in the affected repository.
GPL 3.0 License - See LICENSE file for details
Built with:
- Tokio - Async runtime
- curl-rust - HTTP client
- Clap - CLI framework
- Serde - Serialization
- indicatif - Progress bars
This tool is provided for educational and authorized security research purposes only.
The authors assume no liability for misuse or damage caused by this tool. Users are solely responsible for ensuring they have proper authorization before testing any systems. Unauthorized access to computer systems is illegal under the Computer Fraud and Abuse Act and similar laws worldwide.
Always:
- Obtain explicit written permission before testing systems you don't own
- Comply with all applicable laws and regulations
- Follow responsible disclosure practices
- Respect rate limits and terms of service
Made with ❤️ for the security community