aizaudit checks which Google APIs accept a supplied API key. It reports whether the
key was accepted, which services responded, and which API or application restrictions
were visible from the machine running the scan.
It does not search for leaked keys or read a key's Google Cloud configuration.
Only test keys and projects you own or have permission to assess. Never post keys or unredacted reports in issues.
The release binaries are self-contained; .NET is not required.
| Platform | Download |
|---|---|
| Windows x64 | aizaudit-win-x64.exe |
| Linux x64 | aizaudit-linux-x64 |
| SHA-256 | SHA256SUMS.txt |
Rename the downloaded binary to aizaudit (aizaudit.exe on Windows). On Linux,
also run chmod +x aizaudit.
Prompt for a key without putting it in shell history:
Read-Host "Google API key" | .\aizaudit.exeread -rsp "Google API key: " key; printf '\n'
printf '%s\n' "$key" | ./aizaudit
unset keyCommon examples:
# Read several keys from a file
.\aizaudit.exe --key-file keys.txt
# Write JSON
$env:GOOGLE_API_KEY = Read-Host "Google API key"
.\aizaudit.exe --from-env --json > report.json
# Show only accessible results
.\aizaudit.exe --key-file keys.txt --only-accessible
# Test a browser context
Read-Host "Google API key" | .\aizaudit.exe `
--referer https://example.com/app --origin https://example.comPotentially billable probes are disabled by default. Enable them with
--include-billable. APIs restricted to non-commercial use require the separate
--include-noncommercial flag.
Run .\aizaudit.exe --help (Windows) or ./aizaudit --help (Linux) for all input
options, exit codes, and defaults.
Each probe reports one of these states:
ACCESSIBLE, KEY_RESTRICTED, REQUEST_CONTEXT_REQUIRED, API_NOT_ENABLED,
BILLING_NOT_ENABLED, PROJECT_UNAVAILABLE, RATE_LIMITED, INVALID_KEY,
NETWORK_ERROR, or UNKNOWN.
The overall key result is VALID, INVALID, or INDETERMINATE. Restriction ratings
are STRONG, MODERATE, UNVERIFIED, or N/A.
Results describe only the IP, referrer, origin, and application context used for that scan. They do not show the key's full configuration or prove that an unobserved restriction is absent.
Use --json for schema-v2 output. Keys are masked unless --show-key is set, but the
report may still contain sensitive project or restriction details.
The catalog contains small, non-destructive requests across Google Maps Platform,
YouTube, the Gemini API, Firebase Auth, public Workspace endpoints, and other Google
services. Probes use nonexistent resources or reserved .invalid addresses where
needed and avoid operations that create or change data.
Pricing and terms can change. Check the relevant Google documentation before enabling billable or non-commercial probes. APIs that require OAuth or a service account are not tested.
The project uses .NET 10.
dotnet restore AIzaAudit.slnx
dotnet build AIzaAudit.slnx -c Release --no-restore
dotnet test AIzaAudit.slnx -c Release --no-build
dotnet format AIzaAudit.slnx --verify-no-changes --no-restoreRun from source:
Read-Host "Google API key" |
dotnet run --project AIzaAudit --no-launch-profile --Building Native AOT on Windows requires Visual Studio 2022 or Build Tools with the Desktop development with C++ workload.
See CONTRIBUTING.md before changing a probe. Report security issues as described in SECURITY.md.
AIza Audit is not affiliated with or endorsed by Google LLC. Google and its product names are trademarks of Google LLC.