Reducing API Key Abuse

KeyDrop is a public-interest cybersecurity research initiative aimed at reducing API key abuse.
The project systematically lowers the risks associated with publicly exposed API keys by identifying credential leaks across the internet and reporting them responsibly to service providers.

We invite collaboration with commercial and academic partners, particularly large technology platforms, to develop standardized mechanisms that allow researchers to transmit reports of exposed credentials through structured and secure APIs.

This initiative draws inspiration from GitHub’s Secret Scanning, a program that automatically examines uploaded code repositories for sensitive tokens and notifies both the user and the relevant provider. In practice, this enables platforms such as Google to proactively suspend compromised API keys before they are misused.

KeyDrop extends this model from the bounded environment of code hosting platforms to the broader internet, applying large-scale scanning methodologies to support timely remediation and reduce opportunities for malicious exploitation.

In short: KeyDrop turns responsible internet-wide scanning into a public service, enabling responsible, provider-driven remediation of exposed credentials before they can be abused.

Responsible scanning and reporting

We issue only lightweight discovery requests, no payloads or exploit attempts. Our scans currently focus on identifying:

These requests may appear in Apache logs as:

  • "GET /.env HTTP/1.1" 404 3556 "-" "Mozilla/5.0; KeyDrop.io/1.0 (+https://www.keydrop.io/);"
  • "GET /.git/config HTTP/1.1" 404 3556 "-" "Mozilla/5.0; KeyDrop.io/1.0 (+https://www.keydrop.io/);"

If exposed credentials are detected, KeyDrop securely reports the affected IP address and API keys to the appropriate provider. For example, if a misconfiguration exposes Google API keys, we notify Google directly.

Can I opt out?

Yes. If you’d like your domains or IP ranges excluded from KeyDrop scans, please email keydrop [[at ]] onlyscans.net.

Can I receive keys?

If your organization issues API keys or other long-lived credentials, KeyDrop wants to report exposed keys in the format your team can use most effectively.

Some providers offer public reporting endpoints or participate in programs such as GitHub Secret Scanning. Others use security email aliases or intake portals. KeyDrop can work with the process you already have and welcomes pointers to the right reporting channel.

Receive exposed credential reports

Share the best way to submit exposed keys for your platform, especially if you support structured reports, anonymous submissions, or automated intake.

Send reporting details