Replit Token Scanner

A community-led project that aims to scan published Repls to find secrets and invalidate them.


This repo contains the scanner code and the website. The scanner runs on 1 minute intervals, typically 45 seconds of task running and 15 seconds of downtime. A task fetchs recently published Repls via Replit’s GraphQL API, and then spawns a child process which creates clients that connect to each of these Repls via crosis4furrets (an abstraction of @replit/crosis).

Upon connection, the clients create a recursed directory (filtering out common directories such as packages) and then reads every file. The files are matched to regexs that find exposed secrets and tokens. The child process then communicates any Repls with tokens to the task which then posts the tokens to the dump repository from where Github handles invalidating tokens with their Token Scanning Partners.

Although not recommended, you can create your own token scanning instance by cloning this repository and a little bit of setup.

You will need:

  • a Replit Token (see here)
  • a Github Personal Access Token
  • a Github repository to dump tokens

Clone this repository and add the follow secrets to your environment:



Once you complete that, you may run:

$ yarn install
$ yarn start

To start scanning tokens!


This project is in active development and we would love some ✨ fabulous ✨ contributions! To get started, visit our Contributing documentation.


This project is licensed under the MIT License. For more information, see LICENSE.


View Github