urlcv

JavaScript Secrets Checker

Enter a URL to scan its front-end JavaScript for hard-coded API keys, tokens, endpoints, and sensitive strings before attackers find them.

Javascript Secrets Api Keys Tokens Security Scanner Devtools

Speed up your recruitment workflow

URLCV automates CV parsing, candidate scoring, and shortlist generation — so you can place more candidates, faster.

Start free trial →

Front-End Security Audit

Scan any website for hard-coded secrets in JavaScript

Enter a URL and we'll fetch the page, extract every inline and external JavaScript asset, and check them against 30+ patterns for API keys, tokens, credentials, and sensitive strings.

  • Checks the first page load only — JS loaded dynamically or behind auth is not scanned.
  • Up to 40 external scripts are fetched per scan.
  • Some sites may block automated requests — a missing result does not mean the asset is clean.
  • This is a lightweight public check, not a full security assessment or penetration test.
What you get

A prioritised list of hard-coded secrets, leaked credentials, and internal endpoints found in the site's JavaScript.

Why it matters

Secrets in client-side JS are visible to anyone with a browser. Attackers actively scan for exposed keys and tokens.

Who it's for

Developers, security engineers, pentesters, agencies, and founders checking production sites.

Website URL

HTTPS URLs only. The page and its JavaScript assets are fetched server-side.

Try:

JavaScript Secrets Checker

Enter any public URL and we'll fetch the page, extract every inline and external JavaScript asset, and scan them against 30+ patterns for hard-coded secrets.

What it detects

  • Cloud provider keys — AWS access keys (AKIA…), Google API keys (AIza…), Azure keys
  • Payment & SaaS tokens — Stripe (sk_live_…, pk_live_…), Twilio, SendGrid, Slack, GitHub, GitLab, npm tokens
  • Authentication secrets — JWTs (eyJ…), Bearer tokens, OAuth client secrets, basic-auth credentials in URLs
  • Private keys — RSA, EC, PGP, SSH private key blocks embedded in strings
  • Database & infrastructure — connection strings (mongodb://, postgres://, mysql://), Redis URLs, SMTP credentials
  • Generic patterns — variables named password, secret, api_key, token, auth assigned to string literals
  • Internal endpoints — localhost URLs, internal IP ranges (10.x, 172.16–31.x, 192.168.x), staging/dev subdomains
  • Encoded secrets — suspiciously long Base64 strings that look like encoded credentials

Severity levels

Each finding is tagged critical, high, medium, or low so you can triage quickly.

Who it's for

  • Front-end developers checking production bundles before or after deploy
  • Security engineers auditing third-party scripts
  • DevOps teams checking CI artefacts for leaked credentials
  • Bug bounty hunters looking for low-hanging fruit
  • Anyone who's ever thought "surely nobody hard-coded a key in the client bundle"

Related tools

Website Stack Fingerprinter
Detect what a website is likely built with using only public browser-visible clues (evidence-based, no scanning).
Website Vendor Audit
See which third-party vendors a page appears to load, what they are likely for, and what is worth reviewing for privacy and performance.
Source Map Checker
Check any public website for exposed JavaScript source maps and debug artefacts that could leak source code.
Website Roast
50 checks for tool #50. Enter any URL and get a brutal-but-beautiful report card with a score out of 1000, letter grade, and sharp roast commentary.