Overview
When a secret is detected, Cysmiq can verify whether it is still active by making API calls to the provider. This page lists supported verification providers, the key names we verify, and any extra materials needed for verification.Supported providers
Cloud & Infrastructure
| Provider | Key name | Extra materials |
|---|---|---|
| AWS | Secret access key | Access key ID |
| GCP | Service account key (JSON) | - |
| DigitalOcean | API key | - |
| Cloudflare | API token | - |
| Cloudflare CA | Origin CA key | - |
| Cloudflare Global | Global API key | |
| Vercel | Access token | - |
| Netlify | API key | - |
| Heroku | API key | - |
| Databricks | API key | Instance name |
| Infura | API key | - |
AI & Machine Learning
| Provider | Key name | Extra materials |
|---|---|---|
| OpenAI | API key | - |
| Anthropic | API key | - |
Payment & Commerce
| Provider | Key name | Extra materials |
|---|---|---|
| Stripe | API key | - |
| Square | Application access token | - |
| Shopify | Token | Domain |
| Chargebee | API key | Site ID |
Communication & Email
| Provider | Key name | Extra materials |
|---|---|---|
| Twilio | Token | Account SID |
| SendGrid | API key | - |
| Mailgun | Primary API key | - |
| Mailchimp | API key | - |
| Slack | Webhook | - |
| Telegram | Bot API key | - |
| Microsoft Teams | Webhook | - |
Developer Tools & CI/CD
| Provider | Key name | Extra materials |
|---|---|---|
| Cysmiq | API key | - |
| GitHub | Personal access token (PAT), Classic token | - |
| CircleCI | Token | - |
| Travis CI | API key | - |
| SonarCloud | API key | - |
| CodeClimate | Key | - |
| StackHawk | API key | - |
| Postman | API key | - |
| Artifactory | Token | JFrog URL |
Package Registries
| Provider | Key name | Extra materials |
|---|---|---|
| npm | Token (.npmrc), Token | - |
| NuGet | API key | - |
| RubyGems | API key | - |
Data & Analytics
| Provider | Key name | Extra materials |
|---|---|---|
| Cloudinary | API secret | Cloud name, API key |
| Airtable | PAT | - |
| Polygon | API key | - |
| Shodan | API key | - |
| AbuseIPDB | API key | - |
Other Services
| Provider | Key name | Extra materials |
|---|---|---|
| Agora | Customer secret | Customer ID |
| Alchemy | API key | - |
| Beamer | API key | - |
| Bitkub | API secret | API key |
| Dropbox | API key | - |
| Fastly | API key | - |
| Google APIs | API key | - |
| Linear | API key | - |
| Adafruit | API key | - |
| Abyssale | API key | - |
| SurgeAI | API key | - |
Extra materials
Some providers need additional context beyond the secret itself to perform verification. When extra materials are missing, verification may be skipped.LLM-based validation
Secrets without API verification support are validated using LLM-based analysis. This includes:- High-entropy tokens in configuration files
- Generic API key patterns
- Private keys and certificates
- Provider-ambiguous credentials