API Key Format Identifier
Identify any AI vendor key by its prefix — sk-ant, ghp, AKIA — with security notes.
Input is masked in the result, never written to the URL, never stored and never transmitted. Detection is local prefix + shape matching only — the sample key is fake.
API key (sk-ant-…) — shape matches exactly.
Masked key
sk-ant-a••••••••••••••••••••••••MPLE
Security notes
Grants full API access at your account's rate limits. Rotate immediately if exposed.
If this key was exposed (committed, pasted, logged): rotate it at https://console.anthropic.com/settings/keys, then audit usage logs. Never paste live keys into chat tools or issue trackers.
Key format reference (22 formats)
| Vendor | Key type | Prefix | Notes |
|---|---|---|---|
| Anthropic | API key | sk-ant- | Grants full API access at your account's rate limits. Rotate immediately if exposed. |
| OpenAI | Project key | sk-proj- | Scoped to one project. Prefer over legacy user keys; rotate in the dashboard. |
| OpenAI | Legacy secret key | sk- | Account-wide legacy key. Migrate to project-scoped keys and rotate. |
| API key (AIza) | AIza | Used by Gemini, Maps and other Google APIs. Restrict by API + referrer in Cloud Console. | |
| GitHub | Personal access token (classic) | ghp_ | Classic PAT — often over-scoped. Prefer fine-grained tokens; revoke in settings. |
| GitHub | OAuth access token | gho_ | Issued to OAuth apps on a user's behalf. Revoke via authorized applications. |
| GitHub | Fine-grained PAT | github_pat_ | Repo- and permission-scoped. Still a credential — rotate on exposure. |
| AWS | Access key ID (long-term) | AKIA | Pairs with a secret key. Long-term IAM credential — exposure means full IAM-policy access. |
| AWS | Access key ID (temporary/STS) | ASIA | Temporary STS credential — expires, but treat exposure as an incident anyway. |
| Slack | Bot token | xoxb- | Workspace bot access. Regenerate from the app's OAuth settings. |
| Slack | User token | xoxp- | Acts as a user — can read DMs depending on scopes. Rotate urgently if leaked. |
| SendGrid | API key | SG. | Can send mail as your domain — a spam/phishing risk if exposed. |
| Stripe | Live secret key | sk_live_ | Full access to live payment data. Roll immediately — Stripe supports zero-downtime rolling. |
| Stripe | Test secret key | sk_test_ | Test mode only — no live data, but rotate to keep hygiene. |
| Stripe | Publishable key | pk_ | Designed to be public (client-side). Not a secret, but don't confuse with sk_ keys. |
| GitLab | Personal access token | glpat- | Scope-dependent repo/API access. Revoke in user settings. |
| npm | Access token | npm_ | Can publish packages — supply-chain risk. Revoke and audit published versions. |
| DigitalOcean | Personal access token | dop_v1_ | Full API control of droplets and resources by default. |
| Pulumi | Access token | pul- | Access to Pulumi Cloud state — may contain infrastructure secrets. |
| Hugging Face | User access token | hf_ | Repo and inference access. Rotate from account settings. |
| Perplexity | API key | pplx- | API usage billed to your account. |
| xAI | API key | xai- | Grok API access billed to your account. |
How it works
Found a credential in a log file, an old .env, or a teammate's paste and need to know what it unlocks? Nearly every modern API vendor brands its keys with a distinctive prefix: sk-ant- for Anthropic, sk-proj- for OpenAI projects, ghp_ for GitHub classic tokens, AKIA for long-term AWS access keys. This tool matches a pasted key against an embedded dataset of twenty-plus formats — prefix plus expected length and character set — and tells you the vendor, the key type, and what an attacker could do with it.
The privacy design is absolute: detection is local regular-expression matching against a table compiled into the page. The key is never sent anywhere, never encoded into a shareable URL, and the on-screen echo is masked to its first eight and last four characters. The input uses a password field so the full value is not visible over your shoulder either. This matters because the natural impulse — googling a key prefix or pasting the credential into a chat assistant — itself constitutes a leak.
Identification comes paired with response guidance. Each format carries security notes calibrated to its blast radius: an AWS AKIA key is a long-term IAM credential whose exposure can mean full account compromise, while a Stripe pk_live_ publishable key is designed to ship in client-side code and is not a secret at all — a distinction that prevents both under- and over-reaction. Every entry links directly to the vendor's rotation page, because the correct response to exposure is always rotate first, investigate second.
The searchable reference table below the identifier doubles as documentation for building your own secret scanning. The prefix conventions are exactly what tools like gitleaks, trufflehog and GitHub secret scanning match on, and knowing that ASIA means a temporary STS credential while AKIA means a long-term one, or that xoxp- is a Slack user token with potentially DM-reading scopes while xoxb- is a more constrained bot token, is the difference between triaging an incident correctly and guessing.
Frequently asked questions
Is it safe to paste a real API key into this tool?
The key is matched against a local table of prefixes and regular expressions in your browser tab — it is never transmitted, never written into the URL, never stored, and the on-screen display is masked to the first eight and last four characters. You can verify zero network requests fire in devtools. Even so, the safest habit with any live credential is to identify it by its first few characters alone, which is all the detection actually needs.
Why do vendors put identifiable prefixes on their keys?
Prefixes like sk-ant-, ghp_ and AKIA turn an anonymous random string into a self-describing credential, which makes automated secret scanning possible. GitHub's secret-scanning program, gitleaks and trufflehog all key off these prefixes to find leaked credentials in commits and logs, and vendors can revoke a leaked key automatically when a scanner reports it. GitHub explicitly redesigned its token formats in 2021 around this idea, adding a checksum so scanners get near-zero false positives.
What should I do the moment a key leaks?
Rotate first, investigate second. Generate a replacement key, deploy it, then revoke the exposed one — most dashboards make this a two-minute operation, and Stripe even supports overlapping keys for zero-downtime rolls. Then audit usage logs for the exposure window: unusual IPs, unexpected endpoints, spend spikes. Finally, fix the leak path — usually a committed .env file, a CI log, or a paste into a chat tool — because a rotated key leaks again through the same hole.
What does it mean when the tool says the prefix matches but the shape is unusual?
Each format in the dataset has both a prefix and an expected length and character set. A key that starts with a known prefix but fails the full pattern is usually truncated by a copy-paste, wrapped by an editor, or partially redacted — or occasionally a newer key version whose length changed. The vendor identification is still likely correct, but the credential as pasted probably will not authenticate.
Can this tool tell whether a key is still active?
Deliberately not. Checking liveness would require sending the key to the vendor's API, which contradicts the entire privacy model of the tool — your key never leaves the page. Identification here is purely structural: vendor, key type and security guidance based on the format. To check whether a credential is live, use the vendor's own dashboard, which lists active keys with their last-used timestamps without you transmitting the secret anywhere new.
Built by FORG — AI cost observability for agentic coding. Free tools, no signup, nothing leaves your browser.
Learn about FORG