Scan code snippets for leaked AWS keys, private keys, API tokens, and JWTs via x402-paid API.
What it does
The `/api/dev/secrets-scan` endpoint is part of DeFi Shield, a suite of 69 x402-protocol pay-per-request security intelligence APIs hosted on Vercel. This specific endpoint detects hardcoded secrets in submitted content — including AWS keys, private keys, API tokens, and JWTs. It costs $0.02 per call, paid in USDC on Base via the x402 protocol.
DeFi Shield is designed for autonomous AI agents that need on-demand security checks. The x402 payment flow works as follows: the agent sends a POST request with an x402 payment header, the facilitator verifies USDC payment on Base, the endpoint processes the request and returns JSON, and payment settles only on a successful response. Each endpoint also supports a free GET request for discovery metadata including an `llm_usage_prompt`.
Documentation is limited — the `/docs` path returns 404, and no OpenAPI schema was found. The x402 challenge was captured as live (HTTP 402 on POST) but the challenge body was empty, so exact payment parameters (token address, network, payTo address, amount in base units) are not confirmed from the probe. Pricing of $0.02 is taken from the landing page listing. Users should call `GET /api/dev/secrets-scan` or `GET /api/health` for discovery details before attempting paid requests.
Capabilities
Use cases
- —Scanning code diffs or pull requests for accidentally committed secrets before deployment
- —AI agents auditing smart contract source code for leaked private keys
- —Automated CI/CD pipeline checks for exposed AWS credentials or API tokens
- —Checking user-submitted content for sensitive credential patterns
Fit
Best for
- —AI agents needing on-demand secrets scanning with micropayments
- —Automated security pipelines that check code for credential leaks
- —Developers who want a simple POST API for secret detection without running local tools
Not for
- —Large-scale continuous repository monitoring (better served by GitHub secret scanning or dedicated SaaS)
- —Scanning binary files or non-text content for secrets
- —Users who cannot pay with USDC on Base chain
Quick start
# Free discovery
curl https://defi-shield-hazel.vercel.app/api/dev/secrets-scan
# Paid request (requires x402 payment header)
curl -X POST https://defi-shield-hazel.vercel.app/api/dev/secrets-scan \
-H "Content-Type: application/json" \
-H "X-PAYMENT: <x402-payment-token>" \
-d '{"content": "const key = AKIA1234567890ABCDEF"}'Example
Request
{
"content": "const awsKey = 'AKIAIOSFODNN7EXAMPLE';\nconst secret = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY';\nconst jwt = 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.abc';"
}Endpoint
Quality
The endpoint is live (402 on POST confirmed) and the landing page provides a clear description and pricing ($0.02/call). However, the x402 challenge body was empty, no OpenAPI schema exists, /docs returns 404, and no example response is available. Request schema is inferred from context, not documented.
Warnings
- —x402 challenge body was empty — exact payment parameters (payTo, token contract, amount in base units) could not be confirmed from probe
- —No OpenAPI or JSON schema found for request or response
- —Documentation page (/docs) returns 404
- —Response format is entirely inferred; no example response available
- —Request body schema (e.g. field name 'content') is guessed from endpoint purpose, not documented
Citations
- —The /api/dev/secrets-scan endpoint detects AWS keys, private keys, API tokens, and JWTs at $0.02 per callhttps://defi-shield-hazel.vercel.app
- —DeFi Shield has 69 paid API endpoints using x402 protocol with USDC on Basehttps://defi-shield-hazel.vercel.app
- —Payment settles only on successful response; agents send POST with x402 payment headerhttps://defi-shield-hazel.vercel.app
- —Each endpoint supports free GET for discovery with llm_usage_prompthttps://defi-shield-hazel.vercel.app