ZoomEye Dorking for API Keys

Advanced and custom dorks for Bug Hunters & Pentesters

AbhirupKonwar

~4 min read · July 6, 2025 (Updated: July 6, 2025) · Free: No

This blog is only for educational and ethical vulnerability research purposes. The author is not responsible for any misuse!

Why beginner bug hunter's API Key leak reports gets rejected ?

They are mostly reporting Google Map API Key. Only in rare self hosted program case, it might be considered it as P4 if it is over-permissive.
They fail to understand the API Key is client side key which must be intentionally public as it is needed for normal functionality or server side key that the developer failed to secure it and included by mistake in the client side code as well or in a deep obscure and obfuscated JS file deep nestly in a recursive subdomain or IP.
Public API Keys that often starts with "pk" , "pk_', "pk_client", "pk_test". They fail to understand that only secret keys are accepted that starts with "sk". For different types of services, this naming convention varies.
They never thoroughly read the API documentation what it says.

How I am efficiently dorking the API Keys now ?

So, what I did is i will try to make a bit efficient and narrowed dork. Results may be less but have high potential to be valid and accepted bug.

1️⃣ Access Tokens

http.body="access_token=sk"
http.body="token=sk"

Example in above, I didn't just searched for the keyword access_token like everyone else, I am telling the Search Engine to see results only when the value starts with "sk"

👉 Site: zoomeye.ai

View HTML Page Source

2️⃣ FilePicker Key

http.body="filepicker_key"

3️⃣ Amazon Marketing Service Auth Token

http.body="amzn.mws."

4️⃣ SlackToken

http.body="slackToken = '"
http.body="slackToken:"

http.body="slack_Token" && title="Whoops! There was an error."

Error at the top

Token leak at the bottom

5️⃣ Secret Keys

http.body="sk_live" && http.body="apikey"
http.body="sk_live" && http.body="api_key"

http.body="sk_" && http.body="apikey"
http.body="sk_" && http.body="api_key"

🗝️ Additional Dork Tips

http.body="BEGIN PRIVATE KEY"
http.body="---BEGIN PRIVATE KEY---"

22K Results

How to make the dorks yourself?

First read the Search Engine's Advanced Search Operator Docs
Then find keywords, strings, and regex from Github & API Official Doc

site:github.com api key regex

👉 Site: zoomeye.ai/gpt

You can follow the Github Repository below that can be helpful on how to make a POC before reporting directly

GitHub - streaak/keyhacks: Keyhacks is a repository which shows quick ways in which API keys leaked…

Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see…

github.com

Infinite dorks possible. Start exploring & hunting!

How I got access to Credentials easily

Elite Google Dorking🥷m

medium.com

$200 Recon Bug Bounty🤑

orking is Recon King 🥷cy

cybersecuritywriteups.com

#bug-bounty-tips #bug-bounty #information-security #web-security #zoomeye