Exposed API Keys
Identifies AWS, Google Cloud, Stripe, Twilio, and dozens of other service API keys using signature patterns and entropy analysis.
RECONANALYSIS
Free account required
JS Recon
Extract API keys, internal endpoints, and auth tokens from JavaScript files.
Fetches and analyzes JavaScript files from any URL. Extracts AWS keys, API tokens, internal hostnames, hardcoded credentials, GraphQL endpoints, and source map references. Essential first step in every serious bug bounty recon.
What it detects
Exposed API Keys
Hardcoded Auth Tokens
Internal Endpoints
Source Map References
Detection capabilities
What JS Recon finds
Hardcoded Auth Tokens
Finds JWT tokens, session tokens, and OAuth client secrets embedded in client-side JavaScript.
Internal Endpoints
Extracts internal API hostnames, staging environment URLs, and intranet addresses from JS bundles.
Source Map References
Detects .map file references that expose original source code, revealing business logic and server-side routes.
Step-by-step guide
How to use JS Recon
Enter JS file URL
Or enter the main app URL and let the tool auto-discover all linked JavaScript files.
Run extraction
The tool fetches, deobfuscates where possible, and scans for sensitive patterns across all JS files.
Triage findings
Each finding shows the exact JS file, line number, matched pattern, and severity rating.
Keep going
Related tools
RECON
URL Finder
Discover hidden endpoints, admin paths, and API routes from any web application.
Use tool →
ANALYSIS
Code Analysis
Scan source code for hardcoded secrets, insecure patterns, and injection sinks.
Use tool →
RECON
Subdomain Finder
Enumerate subdomains via DNS records, certificate transparency logs, and brute-force.
Use tool →
RaSEC Platform
Run JS Recon as part of an overnight hunt.
All 8 tools in coordinated sequence
Deterministic reproduction
Copy-paste PoC reports
No credit cardCancel anytimeFree forever tier