API Radar turns leaked API keys into a searchable threat feed for your own org. This new version rebuilds the core engine so it continuously discovers exposed keys in public GitHub, then lets you slice them by provider, repo, file path, and time to see exactly what’s out and where. Instead of digging through noisy scanners or random alerts, you get a focused view of real leaked credentials you can revoke and rotate fast.
I’m building API Radar as a solo dev to answer one question: “Which of our API keys are already leaked in public?”
This launch ships a rebuilt engine that continuously pulls exposed keys from public GitHub and turns them into a searchable feed you can filter by provider, repo, file path, and time. The goal is to go from “some scanner says something is bad” to “here’s the exact key, in this file, in this repo – now revoke and rotate.”
I’d love brutal feedback from developers, DevOps/SRE, and security folks:
Would this slot into how you handle secrets right now?
What’s missing to make this something you’d rely on during incidents?
Happy to dive into technical details, detection logic, and roadmap in the comments.
