Complete Guide to API Key Detection for AI Tools

You paste code to AI for review. The code includes your Stripe API key, AWS credentials, and database password. Now an attacker—or AI training—has your infrastructure.

This guide covers API key detection and protection—identifying and redacting keys before AI.

Common API Key Patterns

AWS

AKIAIOSFODNN7EXAMPLE         // Access Key ID
wJalrXUtnFEMI/K7MDENG/bPxRfiCY // Secret Key

Stripe

sk_live_abc123xyz789        // Secret Key
pk_live_abc123xyz789        // Publishable Key
rk_live_abc123xyz789        // Restricted Key

Google

AIzaSy123456789abcDEFGhijklMNOPqrstuvwxyz // Maps, GCP
GOOG123456789ABCDEFghijkl      // OAuth

GitHub

gho_123456789abcdefghijklmnopqrstuvwxyz   // Personal Access Token
github_pat_123456789abcDEFghijklMNOP  // Fine-grained PAT

OpenAI

sk-abc123...xyz                  // API Key
sk-proj-abc123...xyz            // Project Key

Detection Methods

Auto-detection catches:

• Known prefixes: sk_live_, AKIA, AIza, gho_
• Key-like patterns: 20+ char alphanumeric strings
• URL-embedded keys: api_key=xxx in URLs
• Environment references: AWS_SECRET_KEY=

Before and After

Before:

const stripe = require('stripe')(process.env.STRIPE_KEY);
// STRIPE_KEY = sk_live_abc123xyz789

const awsConfig = {
  accessKeyId: 'AKIAIOSFODNN7EXAMPLE',
  secretAccessKey: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCY'
};

After:

const stripe = require('stripe')(process.env.STRIPE_KEY);
// STRIPE_KEY = [REDACTED_STRIPE_KEY]

const awsConfig = {
  accessKeyId: process.env.AWS_ACCESS_KEY_ID,
  secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
  // Use environment variables
};

Key Protection Best Practices

1. Never commit keys to code
2. Use environment variables
3. Use secrets managers
4. Rotate exposed keys immediately

Conclusion: Protect Your Keys

API keys are the passwords of the digital age. One exposed key can compromise your entire infrastructure.

Keys are secrets. Never paste them.