KeyHacks: Verify Over 100 API Keys with a Single Curl Command

When a batch of "leaked" API keys is discovered, the first question is whether the keys actually work. KeyHacks solves this problem by offering a fixed curl command for each supported service, allowing users to copy‑paste and instantly verify credentials without writing code.

The tool currently covers over 100 platforms across several categories, including cloud services (AWS, Azure, GCP, Google Maps), development collaboration (GitHub Token, GitLab PAT, GitHub SSH keys), messaging (Slack Webhook, Microsoft Teams), payment (Stripe, PayPal), SMS/voice (Twilio), monitoring (DataDog, New Relic, Grafana), marketing analytics (Amplitude, HubSpot, MailChimp, SendGrid), CDNs & security (Cloudflare, Firebase, Firestore), and many others such as Shodan, NPM, and Telegram Bot APIs. The list is continuously updated.

Getting started is straightforward: clone the repository with git clone https://github.com/streaak/keyhacks, change into the directory, and open README.md to find the appropriate curl command. Example commands include:

curl -s -X POST -H "Content-type: application/json" \
     -d '{"text":""}' "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX"

which returns missing_text_or_fallback_or_attachments indicating a valid Slack webhook. For a GitHub token:

curl -s -H "Authorization: token TOKEN_HERE" \
     "https://api.github.com/users/USERNAME_HERE/orgs"

and for AWS credentials:

AWS_ACCESS_KEY_ID=xxxx AWS_SECRET_ACCESS_KEY=yyyy \
    aws sts get-caller-identity

These responses confirm whether the credentials are usable.

From a red‑team perspective, KeyHacks is useful in several scenarios: (1) detecting leaked credentials in code repositories or configuration files; (2) reducing noise in vulnerability reports by proving key validity before submission; (3) auditing supply‑chain dependencies for stale or exposed tokens; and (4) probing cloud environments to enumerate actual permissions after confirming a key works, often combined with tools like enumerate-iam to map accessible services.

A concrete case demonstrates verifying a GitHub SSH private key with ssh -i <path_to_private_key> -T [email protected], which returns a message confirming authentication and reveals the associated username—information valuable for social engineering and lateral movement.

The tool is aimed at penetration‑testing engineers, bug‑bounty hunters, security researchers, enterprise security teams, and blue‑team members who need to monitor and remediate leaked credentials.

KeyHacks is hosted on GitHub (github.com/streaak/keyhacks), written entirely in Markdown, released under the MIT license, and has garnered over 10 k stars with active community contributions.