Does this tool send my clipboard anywhere?

No. The clipboard text is read into the page and all pattern matching happens in your browser with JavaScript. Nothing is uploaded, logged, or stored, which is the whole point of a paste-safety check.

It flags common secret formats — AWS keys, generic API tokens, JWTs, PEM private keys, Slack/GitHub tokens — plus credit card numbers validated with the Luhn algorithm, email addresses, IBANs, and other PII patterns. Each finding shows the type and a redacted preview.

Why does it need clipboard permission?

Reading the clipboard programmatically is a privileged action, so the browser prompts for consent. If you prefer not to grant it, or the browser refuses, just paste the text into the box and the identical scan runs locally.

Are credit card matches reliable?

Numbers are first matched by length and digit grouping, then validated with the Luhn check digit, which removes most false positives. It still cannot confirm a card is real or active — it only flags strings that look like valid card numbers so you do not paste them by accident.

Can it give false positives?

Yes. Pattern-based detection is conservative on purpose — it would rather warn you about a harmless high-entropy string than miss a real secret. Treat findings as a prompt to look, not as proof a credential is exposed.

Clipboard Contents Security Checker

Before you paste, this checker reads your clipboard (only with your permission) and scans it locally for things you almost certainly do not want to leak: API keys, tokens, private keys, and personal data. If something sensitive is on your clipboard, you find out before it lands in a chat box or support ticket.

How it works

When you grant permission, the tool calls navigator.clipboard.readText() and runs the returned string through a set of detectors. Each detector is a carefully scoped pattern:

Secrets — AWS access keys (AKIA…), GitHub tokens (ghp_…), Slack tokens (xox…), generic 32+ char API keys, and JWTs (three base64url segments separated by dots).
Private keys — PEM blocks such as -----BEGIN … PRIVATE KEY-----.
Payment data — 13–19 digit sequences that match card grouping and pass the Luhn check digit, which eliminates most random-number false positives.
PII — email addresses, IBANs, and long digit runs that resemble phone or account numbers.

Every match is shown with its type and a redacted preview (most characters masked) so you can confirm what was found without re-exposing the full secret on screen.

The Luhn check for card numbers

Card-number detection does not just count digits. It applies the Luhn algorithm: starting from the rightmost digit, every second digit is doubled (subtracting 9 if the result exceeds 9), all digits are summed, and the number is only flagged if the total is divisible by 10. This is the same checksum issuers use, so a random 16-digit string is very unlikely to be flagged.

Notes and limits

If your browser refuses programmatic clipboard reads (common on non-HTTPS pages or when the tab is unfocused), paste into the box instead — the scan is identical.
Detection is intentionally cautious: it prefers a harmless false alarm over a missed credential. A flag means “look at this,” not “this is definitely a live secret.”
Nothing you scan leaves your browser. Clear the input when you are done to remove it from the page.