SupaExplorer

API Security & Leak Detection

Detect leaked API keys and stress-test database policies without leaving the browser.

SupaExplorer automatically detects exposed credentials from Supabase, AWS, Google Cloud, Stripe, and more. Test row-level security, scan for hard-coded keys, and catch vulnerabilities before they become breaches.

Install Extension
Install from GitHub
Coverage
Side panel, DevTools, explorer overlay, and security report builder.
Data Residency
Credentials remain local in chrome.storage; nothing leaves your machine.
Reset
State clears automatically when Supabase keys disappear or tabs change.

Why It Matters

  • Multi-service detection: Automatically identify leaked credentials from AWS, Google Cloud, Stripe, Twilio, SendGrid, and more.
  • Catch hard-coded keys with background scanning of scripts, JSON responses, and network requests—even before they fire.
  • Audit Supabase RLS in minutes: table inventory, row-count permissions, and instant 401 visibility in one view.
  • Export findings as a printable security report summarizing all detected credentials, exposure levels, and remediation steps.

Detects Leaked Credentials From

See it in action

SupaExplorer Chrome Extension Screenshot

Inside SupaExplorer

  • Multi-service credential detection via webRequest, fetch, and XMLHttpRequest instrumentation—scans for AWS, Stripe, Twilio, and 15+ other API keys.
  • Chrome side panel for persistent context, theme toggles, and live table access checks for Supabase databases.
  • Modal explorer powered by PostgREST for rapid select, insert, update, and delete flows on Supabase data.
  • Security report composer with risk heuristics, credential exposure summary, and PDF-friendly output.
  • DevTools panel for manual request replay, key management, and comprehensive static asset scanning.
  • Floating detection indicator alerting you instantly when credentials are captured from network requests.

Ideal For

  • Security engineers validating database policies and scanning for exposed API credentials across all services.
  • Red-teamers and penetration testers inspecting web applications for leaked API keys from AWS, Stripe, Twilio, and more.
  • DevSecOps teams conducting pre-production security audits to catch hard-coded credentials before deployment.
  • Bug bounty hunters looking for exposed credentials and database misconfigurations in target applications.

Safety Notes

SupaExplorer is designed for authorized security testing only. Always obtain proper authorization before testing any application. The tool highlights vulnerabilities without attempting unauthorized access or bypasses.