What does GetLeaked check?

GetLeaked checks the public surface of your app for exposed API keys (OpenAI, Supabase, Firebase, Stripe, AWS, Anthropic, GitHub, and more), Supabase Row Level Security disabled, direct browser-to-AI calls, missing auth gates on expensive routes, secrets in logs, and hardcoded credentials in client bundles.

What is the difference between the Free URL Scan and the Deep Scan?

The Free URL Scan inspects what is already publicly visible — your public page response, client-side JavaScript bundles, and inline targets. Deep Scan ($49 one-time) expands the public-deployment review with live key validation, source-map reconstruction where exposed, dependency checks, auth-bypass probing, and a plain-English remediation report with exact fix steps.

Does GetLeaked replace a formal security audit or pentest?

No. GetLeaked provides fast static evidence for the most common builder mistakes before launch. It is a proof step, not a penetration test. Every report explicitly states what the scan covered and what it cannot prove — so you know exactly where the gaps are.

What data does GetLeaked store and for how long?

Scan inputs and results are stored for 30 days and then permanently deleted. We do not share scan data with third parties and do not use it to train models. Secrets found during a scan are redacted before findings leave the scan engine.

How does payment work for the Deep Scan?

Deep Scan is $49 one-time per scan, paid in SOL or USDC on the Solana network. There is no subscription and no card required. Payment is confirmed on-chain and scan access is unlocked automatically within seconds.

Can the free scan see my server-side environment variables?

No. The free URL scan can only inspect what is publicly accessible: your page HTML, loaded JavaScript bundles, and inline targets visible from the scanned URL. Server-side environment variables that never reach the client are outside the scope of the free scan — that is a Deep Scan use case.

No upload required. Your files stay on your machine.

Public exposure scan for AI-built apps

Your vibe-coded app might be leaking keys.

GetLeaked scans Lovable, Bolt, Cursor, Next.js, and Supabase apps for the security mistakes fast AI builds often miss: exposed API keys, public client secrets, direct AI calls, weak auth signals, RLS risks, and debug routes.

Checks 40+ credential patterns across OpenAI, Supabase, Firebase, Stripe, Anthropic, GitHub, AWS, and more.

No login required for the free scan

Clear scope notes on every report

Secrets redacted before findings leave the scan engine

See what gets checked

Why teams use this before launch

A simple proof step before you share the app.

Security buyers and technical founders do not need more vague badges. They need a quick way to verify whether the public app already reveals enough to lose trust.

Scan the public surface

We inspect what an attacker can already see, including page responses, client bundles, and inline targets.

Return evidence with context

Every finding shows what was seen, why it matters, and what this free scan cannot prove.

Escalate only when justified

If the quick scan shows real risk, Deep Scan expands public-surface coverage and remediation.

Built for trust-sensitive launches

Useful for teams shipping with Lovable, Bolt, Cursor, v0, Next.js, Supabase, and Firebase, especially before demos, launches, or paid traffic.

Next.js

Supabase

Firebase

Vercel

What it checks

Six checks, chosen for real launch risk.

These are the failures that quietly leak trust, budget, or data while the app still appears to work.

Exposed API keys

OpenAI, Supabase, Firebase keys in client bundles or public source.

Supabase RLS off

Tables readable by anyone, even without auth or role checks.

Direct AI calls

Browser requests hitting OpenAI directly, which invites abuse and surprise spend.

AI endpoint abuse

No rate limit or auth gate on expensive routes.

Secrets in logs

Sensitive tokens printed to console, log drains, or error responses.

Hardcoded secrets

Keys committed directly into the repo or shipped in bundles.

Sample finding

OpenAI key in client bundle

Critical

Evidence: sk-proj-**** found in _next/static/chunks/app

Fix: Move to server-side env, add to .env.local

How it works

Fast enough for launch day, clear enough for non-security teams.

Paste a URL or repo

Leaked scans the public surface or source tree depending on what you share.

Get evidence, not guesswork

Every finding includes the exact risky pattern and the line of reasoning behind it.

Fix the trust leak fast

You leave with plain-English remediation steps, not a pile of generic security jargon.

Built for founders who need a fast security proof step before they ask others to trust the app.

Especially useful for AI-built apps shipped with Lovable, Bolt.new, v0, Cursor, Next.js, Supabase, and Firebase.

Feature comparison

What you get for $49 that you don't get free.

Feature	Free	Deep Scan ($49)
Public bundle inspection
Common secret pattern detection
Plain-English findings
Live API key validation (is the leaked key active right now?) Finds API keys and tokens sitting in source files, configs, and client-facing code.
Auth-bypass probing on detected endpoints Flags direct browser-side AI calls and unguarded AI routes that can be abused.
Dependency CVE audit (OSV.dev) Checks public deployment signals, loaded bundles, source maps, and exposed endpoints together.
Source-map reconstruction & re-scan Looks for exposed debug, test, admin, or diagnostic endpoints that should not be public.
Downloadable Markdown report Every finding points to the file, URL, route, or pattern that triggered it where possible.
Shareable read-only report link Report says what was checked and what was not checked, so there is no fake certainty.
One free re-scan within 30 days Separates urgent leaks from lower-risk cleanup so you know what to fix first.
Email summary + monitor upsell Catches secrets written to console output, client logs, or obvious logging paths.

Free

Public bundle inspection
Common secret pattern detection
Plain-English findings
Live API key validation (is the leaked key active right now?)
Auth-bypass probing on detected endpoints
Dependency CVE audit (OSV.dev)
Source-map reconstruction & re-scan
Downloadable Markdown report
Shareable read-only report link
One free re-scan within 30 days
Email summary + monitor upsell

Deep Scan

$49

Public bundle inspection
Common secret pattern detection
Plain-English findings
Live API key validation (is the leaked key active right now?)
Finds API keys and tokens sitting in source files, configs, and client-facing code.
Auth-bypass probing on detected endpoints
Flags direct browser-side AI calls and unguarded AI routes that can be abused.
Dependency CVE audit (OSV.dev)
Checks public deployment signals, loaded bundles, source maps, and exposed endpoints together.
Source-map reconstruction & re-scan
Looks for exposed debug, test, admin, or diagnostic endpoints that should not be public.
Downloadable Markdown report
Every finding points to the file, URL, route, or pattern that triggered it where possible.
Shareable read-only report link
Report says what was checked and what was not checked, so there is no fake certainty.
One free re-scan within 30 days
Separates urgent leaks from lower-risk cleanup so you know what to fix first.
Email summary + monitor upsell
Catches secrets written to console output, client logs, or obvious logging paths.

Free is for triage. Deep Scan is for evidence you can act on (or hand to someone else).

Pricing

Simple pricing for fast triage and deeper remediation.

Free URL Scan

$0per scan

Fast public-surface triage before a launch, demo, or customer share.

Public bundle and page inspection
Secret exposure check
Direct AI call check
Abuse risk signal
Instant JSON report

Safe to scan. Honest about scope.

GetLeaked is designed for early builders who need security clarity without handing over their whole company. The free scan checks publicly accessible URLs and bundles — the same surface anyone on the internet can request. Deep Scan adds live key validation, auth-bypass probes, dependency checks, source-map reconstruction where exposed, and a clearer remediation report.

Free URL scan: checks public app surfaces only. No login required.
No code execution: GetLeaked analyzes exposed files and patterns; it does not run your app code.
Plain-English evidence: findings include the signal, why it matters, and the first fix to make.
Clear limits: reports state what was scanned and what was out of scope.
Not a pentest: this reduces launch risk; it does not replace a full security audit for mature production systems.

For Deep Scan, submit only a public URL you own or are authorized to test. Do not paste credentials, private tokens, or secrets into the scan form. Repository review is not included unless a future flow explicitly collects repo access and states the handling terms.

Built by Crescent Labs — security-first AI systems, shipped in public.

Limitations

What Leaked does not check.

We stay explicit about scope so builders know when they need a wider audit.

Server-side environment variables that never reach the client bundle, public responses, or exposed source maps.
Full Git history, because current scanning is focused on the present code state.
Infrastructure, networking, IAM, or DNS misconfigurations outside app code.
Mobile apps and non-web stacks outside the supported Next.js, Supabase, and Firebase scope.
Runtime exploit chains. The current product focuses on static evidence and exposed patterns.

FAQ

Common questions.

What does GetLeaked check?: GetLeaked checks the public surface of your app for exposed API keys (OpenAI, Supabase, Firebase, Stripe, AWS, Anthropic, GitHub, and more), Supabase Row Level Security disabled, direct browser-to-AI calls, missing auth gates on expensive routes, secrets in logs, and hardcoded credentials in client bundles.
What is the difference between the Free URL Scan and the Deep Scan?: The Free URL Scan inspects what is already publicly visible — your public page response, client-side JavaScript bundles, and inline targets. Deep Scan ($49 one-time) expands the public-deployment review with live key validation, source-map reconstruction where exposed, dependency checks, auth-bypass probing, and a plain-English remediation report with exact fix steps.
Does GetLeaked replace a formal security audit or pentest?: No. GetLeaked provides fast static evidence for the most common builder mistakes before launch. It is a proof step, not a penetration test. Every report explicitly states what the scan covered and what it cannot prove — so you know exactly where the gaps are.
What data does GetLeaked store and for how long?: Scan inputs and results are stored for 30 days and then permanently deleted. We do not share scan data with third parties and do not use it to train models. Secrets found during a scan are redacted before findings leave the scan engine.
How does payment work for the Deep Scan?: Deep Scan is $49 one-time per scan, paid in SOL or USDC on the Solana network. There is no subscription and no card required. Payment is confirmed on-chain and scan access is unlocked automatically within seconds.
Can the free scan see my server-side environment variables?: No. The free URL scan can only inspect what is publicly accessible: your page HTML, loaded JavaScript bundles, and inline targets visible from the scanned URL. Server-side environment variables that never reach the client are outside the scope of the free scan — that is a Deep Scan use case.

Ship the product, not the security mistake.

Run the free URL scan for a public-surface check, then use Deep Scan when you need deeper public-deployment confidence before a launch, client share, or investor demo.