Skip to main content

Overview

When a secret is detected, Cysmiq can verify whether it is still active by making API calls to the provider. This page lists active secret credential families Cysmiq detects today and whether API verification is supported.

Supported providers

Cysmiq currently detects 110 active secret credential families across 81 providers. Verification is supported for 94 credential families and not supported for 16.
ProviderCredential familyVerification supported
AbuseIPDBAPI keyYes
AbyssaleAPI keyYes
AdafruitAdafruit IO keyYes
AgoraCustomer ID and customer secretYes
AI21API keyYes
AirbrakeUser API keyYes
AirtableOAuth integrationsNo
AirtablePersonal access tokensYes
AivenApplication tokensYes
AivenPersonal tokensYes
AlchemyAPI keyYes
AnthropicAdmin API keyYes
AnthropicAPI keyYes
ApifyOrganization API tokensYes
ApifyPersonal API tokensYes
ApolloAPI keyYes
ApolloOAuth client secretNo
AsanaClient ID and client secretNo
AsanaPersonal access tokenYes
AssemblyAIAPI keyYes
AWSAccess keysYes
BeamerAPI keyYes
BitkubAPI keyYes
ChargebeeFull-access keyYes
ChargebeeRead-only keyYes
CircleCIPersonal API tokensYes
CloudflareAccount API tokenYes
CloudflareGlobal API keyYes
CloudflareOrigin CA keyYes
CloudflareR2 Account API tokenNo
CloudflareR2 User API tokenNo
CloudflareService tokenNo
CloudflareUser API tokenYes
CloudinaryAPI key and API secretYes
Code ClimatePersonal access tokenYes
CohereAPI keyYes
crates.ioAPI tokenNo
DatabricksPersonal access tokenYes
DeepSeekAPI keyYes
DigitalOceanOAuth applicationNo
DigitalOceanPersonal access tokenYes
DocuSignIntegration keyNo
DropboxAccess tokenYes
DuffelAccess tokenYes
EasyPostAPI keysYes
GitHubFine-grained personal access tokenYes
Google APIsStandard API keyYes
GroqProject API keyYes
HerokuAPI keyYes
HubSpotDeveloper API keyYes
HunterAPI keyYes
InfuraAPI keyYes
IntercomAccess tokenYes
JenkinsAPI tokenYes
JFrogAccess tokenYes
LangfuseAPI credentialsYes
LinearPersonal API keysYes
MailchimpAPI keyYes
MailgunAccount API keysYes
MailjetAPI keyYes
MapboxSecret tokenYes
Microsoft TeamsIncoming webhookYes
MidtransServer keyYes
Mistral AIAPI keyYes
MuleSoftApp acts on behalf of a userNo
MuleSoftApp acts on its own behalf (client credentials)Yes
MuleSoftEnvironment credentialsYes
MuleSoftOrganization credentialsYes
NetlifyPersonal access tokenYes
npmGranular access tokenYes
NuGetScoped API keysYes
NylasAPI keyYes
OpenAIPersonal API keyYes
OpenAIProject API keyYes
OpenRouterAPI keyYes
OpenRouterManagement API keyYes
OpenWeatherMapAPI keyYes
PaystackAPI keysYes
Perplexity AIAPI keyYes
Polygon.ioAPI keyYes
PostmanPostman API keyYes
PostmarkAccount API tokenYes
PostmarkServer API tokenYes
PostmarkSMTP tokenNo
RapidAPIRapid API keyYes
ReplicateAPI tokenYes
ReplicateSigning secretNo
ResendAPI keyYes
RubyGemsAPI keyYes
SendGridAPI keyYes
ShodanAPI keyYes
SlackIncoming webhook URLYes
SonarCloudPersonal access tokensYes
SquareOAuth access tokenYes
SquarePersonal access tokenYes
SquareSandbox access tokenNo
SSLMateAPI keyYes
StackHawkAPI keyYes
StripeRestricted API keyYes
StripeSecret API keyYes
SurgeAIAPI keyYes
TailscaleAPI access tokensYes
TailscaleAuth keysNo
TailscaleOAuth clientsYes
TailscaleSCIM API keysNo
TailscaleWebhook secretNo
TavilyAPI keyYes
TelegramBot tokenYes
TravisAPI access tokenYes
VercelAccess tokenYes

LLM-based validation

Secrets without API verification support are validated using LLM-based analysis. This includes:
  • High-entropy tokens in configuration files
  • Generic API key patterns
  • Private keys and certificates
  • Provider-ambiguous credentials
LLM validation evaluates the detection context to reduce false positives.