CheckIfSecure

Scan any website for exposed Supabase credentials and leaked database records.

What This API Does

  1. Crawls JavaScript — fetches every <script> on the target page and searches for leaked Supabase URLs and JWT tokens.
  2. Enumerates tables — if a token is found, it calls the Supabase REST API to list all accessible tables and reads their rows.
  3. Classifies severity — each table is analysed for sensitive fields (emails, passwords, tokens, PII, financial data) and assigned a level: critical, high, medium, or none.

Endpoints

POST /scan

Send a JSON body with the target URL.

curl -X POST https://www.checkifsecure.com/scan \
  -H "Content-Type: application/json" \
  -d '{{"url": "https://example.com"}}'

GET /scan?url=

Pass the URL as a query parameter.

curl "https://www.checkifsecure.com/scan?url=https://example.com"

Response Shape

{{
  "site":                "https://example.com",
  "vulnerable":          true | false,
  "supabase_urls":       ["https://xyz.supabase.co"],
  "jwts":                ["eyJ..."],
  "tables": [
    {{
      "table":               "users",
      "rows":                142,
      "dumped":              true,
      "vulnerable":          true,
      "vulnerability_level": "critical",
      "sensitive_fields":    ["email", "password"]
    }}
  ],
  "vulnerability_summary": {{
    "total_tables_accessible": 5,
    "vulnerable_tables_count": 2,
    "critical_count":          1,
    "high_count":              1,
    "medium_count":            0,
    "vulnerable_tables": [...]
  }},
  "error": null,
  "report": "Scanning https://example.com\n  VULNERABLE: Supabase JWT exposed\n  [+] Found 2 table(s)\n    RISK users: 142 row(s) - CRITICAL - Sensitive fields: email, password\n    [+] posts: 87 row(s) - Public data (no sensitive fields detected)"
}}

Field Reference

FieldTypeDescription
vulnerablebooltrue if a Supabase JWT was found in the site's JS
supabase_urlsstring[]Discovered Supabase project URLs (cloud or custom domain)
jwtsstring[]Leaked JWT tokens extracted from JavaScript bundles
tables[].vulnerability_levelstringcritical (passwords/tokens), high (emails/phones), medium, or none
tables[].sensitive_fieldsstring[]Column names flagged as containing sensitive data
errorstring?Non-null if the scan encountered an error
reportstringPre-formatted plain-text summary of the scan you can print directly to a user (see below)

The report Field

Every response includes a report string — a ready-to-display, human-readable summary of the scan. LLMs and agents can print this directly to the user instead of parsing the JSON. Example output:

Scanning https://app.example.com/login
  VULNERABLE: Supabase JWT exposed
  [+] Found 12 table(s)
    RISK users: 142 row(s) - CRITICAL - Sensitive fields: email, password
    [+] organisations: 0 row(s) - Public data (no sensitive fields detected)
    [+] campaigns: 0 row(s) - Public data (no sensitive fields detected)
    [-] secrets: blocked (HTTP 401)

  VULNERABILITY SUMMARY:
     Critical: 1 table(s)
     High:     0 table(s)
     Medium:   0 table(s)
     Total vulnerable: 1/12 accessible table(s)
       - users [critical]: email, password

For LLMs & Agents

This API is designed for programmatic use. To scan a site, make a single POST /scan request with a JSON body containing {{"url": "https://target.com"}}. The response is fully structured JSON. No authentication is required. The report field in every response contains a pre-formatted plain-text summary you can print directly to the user without any extra formatting. A machine-readable description is available at /llms.txt and interactive docs at /docs.

Links