- Found an API key during recon?
- Don't guess — validate it.
- Secrets Ninja is an open-source web app that tests leaked credentials across 61 services (AWS, Stripe, OpenAI, MongoDB, Slack…) and shows you exactly what they unlock.
TL;DR
Secrets Ninja is a free, MIT-licensed GUI tool by Nikhil Panwar that validates and investigates API keys leaked during bug bounty hunting or pentests. It ships with 61 dedicated service modules covering AWS, MongoDB, Stripe, PayPal, OpenAI, GitHub, Slack, SendGrid, Shopify and more. Paste a key, click validate, see instantly whether it's live and what it can access — no curl incantations required.
Meet Secrets Ninja
If you've spent any time in bug bounty, you know the ritual. You scrape a public JS bundle, regex out what looks like a key, and then hit the KeyHacks cheatsheet to copy-paste the right curl command. Get the syntax wrong, re-encode the base64, wonder if the key is dead or if you just mistyped. Repeat for every service.
Secrets Ninja kills that loop. It's a React + Vite single-page app (with a small Python FastAPI proxy for anything CORS-blocked or SDK-only) where each supported service gets its own module. Drop your key into the right form, hit submit, and the tool fires the validation request and renders the parsed response in-browser. If it's valid, you're already investigating — listing S3 buckets, enumerating Stripe customers, pulling Slack channels — from the same UI.
Why it matters
Triage is the single most time-consuming part of secret-leak bug bounty work. A leaked key with no live scope is a dupe-low-impact. A leaked key that reads production customer data is a P1. The difference is minutes of validation work — and Secrets Ninja compresses that into seconds.
It also lowers the barrier for newcomers. You no longer need to memorise that Stripe keys are validated with GET /v1/charges, that Mailgun needs HTTP basic auth with api as the username, or that Slack tokens have to hit auth.test. The tool encodes that per-service knowledge as UI.
Technical facts
- 61 service modules shipped in
src/data/detectors.jsonon master. - 4 categories covered: cloud (AWS, DigitalOcean, Vercel), databases (MongoDB), SaaS/APIs (Stripe, PayPal, OpenAI, Twilio, SendGrid, Slack, GitHub, GitLab, Notion, HubSpot, Shopify, Sentry, HuggingFace, Snyk, Shodan…) and dev/infra tooling (Doppler, Pulumi, Terraform, Buildkite, JFrog, Postman, NPM tokens…).
- Stack: JavaScript 58.5% / Python 29.7% / HTML 9.2% / CSS 1.9% — Vite + React frontend, FastAPI proxy.
- Two-component architecture: the React app on port
5173handles UX and any CORS-friendly APIs; the Python proxy on port8001handles AWS SigV4 signing, MongoDB wire protocol, and any service whose CORS headers block browser JS. - Docker one-liner:
docker run -p 5173:5173 -p 8001:8001 secretsninja/secrets-ninja:latest. - Repo activity: 169 stars, 22 forks, 303 commits, 1 open issue at time of writing — small but actively maintained.
How it compares to the usual suspects
| Tool | Format | Service count | Live validation | Best for |
|---|---|---|---|---|
| Secrets Ninja | GUI (web app) | 61 modules | Yes (in-app) | Fast triage & investigation |
| KeyHacks | Markdown cheatsheet | ~100 services | Manual curl | Reference docs |
| keyhacks.sh | Bash script | ~60 services | Yes (CLI) | Terminal pipelines |
| TruffleHog | Scanner + verifier | 700+ | Yes (built-in) | Finding keys at scale |
| dora | Regex scanner | — | No | Discovery only |
TruffleHog is still the heavyweight for discovery at scale. Secrets Ninja isn't trying to compete there — it starts where TruffleHog stops, giving you a human-grade interface to poke at the keys you've already found and understand their blast radius.
Who actually uses this
- Bug bounty hunters triaging keys scraped from GitHub dorking or JS bundles — validate before writing a report to avoid duplicate-low-impact dings.
- Pentesters on engagement who need to understand the scope of a credential mid-assessment (read-only service role vs full admin).
- Red teamers doing post-exploitation recon on harvested tokens.
- AppSec engineers validating severity of secrets surfaced by TruffleHog or Gitleaks before paging the on-call.
- Incident responders confirming which leaked keys are live during a rotation sprint.
Limitations & pricing
Secrets Ninja is 100% free and MIT licensed. There is no paid tier and no telemetry wall. The honest trade-offs:
- A handful of modules (AWS, MongoDB, anything needing SDK-level signing) require the Python proxy running locally. Pure browser-only mode isn't enough.
- CORS headers on some SaaS APIs force traffic through the proxy, so the hosted demo at secrets.ninja can't cover every service out-of-the-box.
- The public instance means you're pasting live credentials into someone else's web app. For real engagements, self-host via Docker. Paranoia is a feature in this line of work.
- The tool is explicitly intended for ethical use only — it won't police you, and legality is on you.
What's next
The architecture is deliberately modular: each service is one file. That's an open invitation for contributions, and the obvious gaps are the ones most worth filling — Azure, GCP service accounts, Supabase, Firebase admin, Cloudflare API tokens, and the long tail of SaaS that doesn't make the top-61 list. If you've been meaning to publish your first open-source security PR, adding a detector module here is about as clean a first contribution as you'll find.
In the meantime, bookmark it, self-host it, and the next time you find a key in the wild — don't just collect it. Validate it.
Source: github.com/NikhilPanwar/secrets-ninja · secrets.ninja · tip via @obscaries.
