Secret & PII Scanner

Before you paste a log into a ticket, share a config snippet, or commit a file, it is worth a quick check for anything that should not be there. This tool scans text for likely secrets — AWS keys, GitHub and OpenAI tokens, JWTs, private keys — and personal data like emails, credit cards, and SSNs, then masks each finding. It runs entirely in your browser: nothing you paste is uploaded, which is exactly why you would use a dedicated scanner instead of pasting sensitive text into a chatbot to ask if it is safe.

0
Findings
0
Secrets / keys
0
PII
0
Lines scanned

    How to Use This Tool

    1. Paste your text — a log, config file, code snippet, or anything you are about to share or commit. Nothing leaves your browser.
    2. Review the findings — each potential secret or piece of PII is listed by line number and type, with the value masked.
    3. Act on real matches — rotate any genuine credential immediately (revoke and reissue at the provider), and remove or redact PII before sharing.
    4. Re-scan after editing — the scan updates as you type, so you can confirm the text is clean before you copy it out.

    Catching Secrets Before They Leak

    Leaked credentials are one of the most common causes of breaches, and most leaks are accidental: an API key pasted into a support ticket, a token left in a committed config file, a connection string in a log shared with a vendor. The cheapest moment to catch a secret is before it leaves your hands — a quick scan of the text you are about to share or commit. Because secrets follow recognizable formats (an AWS key starts with AKIA, a GitHub token with ghp_, a JWT with eyJ), pattern matching catches a large share of real leaks in seconds.

    Running that scan in the browser matters. The alternative — pasting a config or log into an online service to check it — sends the very secrets you are worried about to a third party, where they may be logged or retained. This tool does all of its matching locally with JavaScript, so the text never leaves the page. That makes it safe to use on production logs, customer data, and unreleased code that you could not responsibly paste into a hosted tool.

    No pattern scanner is complete. It will miss bespoke secret formats and cannot understand whether a matched value is a live credential or a harmless example, so it favours catching too much over too little and masks each finding for review. Use it as a fast pre-share and pre-commit check, and back it with repository-level scanning (gitleaks, truffleHog) and a pre-commit hook for defense in depth. If it finds a real key, the response is always the same: rotate it immediately.

    Frequently Asked Questions

    What does the scanner detect?
    It looks for well-known secret formats — AWS access key IDs, GitHub tokens (including fine-grained PATs), OpenAI and Anthropic API keys, Google API keys, Slack and Stripe tokens, Twilio SIDs, PEM private-key blocks, JSON Web Tokens, and generic api_key="..."-style assignments — plus common PII: email addresses, US Social Security numbers, credit-card numbers (validated with the Luhn check to cut false positives), and IPv4 addresses. Each match is masked in the results so the raw value is not re-displayed in full.
    Is my text uploaded anywhere?
    No. All scanning happens in your browser with JavaScript — the text you paste is never sent to Janeer or any server. That is the whole point: you can check a real production log, a config file, or a snippet you are about to share for leaked credentials without the content leaving your machine. Pasting the same text into an online chatbot to ask whether it is safe would do the opposite — it sends your secrets to a third party.
    Can it catch every secret?
    No — treat it as a fast safety net, not a guarantee. The scanner matches known, high-confidence patterns, so it will miss custom or unusual secret formats, base64-encoded blobs, and anything that does not look like a recognizable key. A clean result means nothing obvious was found, not that the text is definitely secret-free. For repositories, pair this with a dedicated tool like gitleaks or truffleHog and a pre-commit hook.
    I found a real key — what should I do?
    Assume it is compromised and rotate it immediately: revoke the leaked credential at the provider and issue a new one. Removing the secret from a file is not enough if it was ever committed or shared, because it persists in git history, logs, caches, and anywhere the text travelled. After rotating, scrub it from history (for git, tools like git-filter-repo or BFG) and check provider audit logs for any unauthorized use.
    Why does it flag something that is not actually a secret?
    Pattern-based detection trades some false positives for catching real leaks. An example AWS key in documentation, a test credit-card number, or an internal IP address will all match even though they are not sensitive. The scanner uses a Luhn check on card numbers and validates IPv4 octet ranges to reduce noise, but you should still review each finding in context. The cost of a false positive is a quick glance; the cost of a missed real key can be a breach.
    Guide: How to Find and Fix Leaked Secrets →

    JWT Decoder

    Decode and inspect JSON Web Tokens in your browser.

    Hash Generator

    Generate MD5, SHA-1, SHA-256, and SHA-512 hashes.

    Base64 Encoder / Decoder

    Encode and decode Base64 strings instantly.