Introduction

Oracle is the enterprise-grade tool for Verifying, Auditing, and Securing API infrastructure. We solve the critical problem of credential opacity—instantly determining if a key is active, what permissions it holds, and if it belongs to the service you think it does.

Designed for DevOps, Security Engineers, and Developers, Oracle parses complex environment files (`.env`), logs, and configs to provide a unified health report of your entire credential stack.

Key Features

Multi-Provider Support: Native validation for over 30+ services (AI, Cloud, Database, Infra).
Context-Aware Analysis: Detects mismatches between variable names (e.g., `OPENAI_KEY`) and legitimate key types (e.g., Google keys), preventing configuration drift.
Granular Error Reporting: Distinguishes between Invalid (401), Leaked/Inactive (403), and Quota Exceeded (429).
Smart Fallbacks: Automatically identifying cross-provider formats (e.g., Stripe/Clerk collisions, Google/Firebase/Gemini shared prefixes).

Supported Providers (28+)

Oracle supports a massive ecosystem of APIs, constantly updated.

AI & LLM Services

● OpenAI

● Anthropic

● Google Gemini

● Cohere

● Mistral

● Groq

● HuggingFace

Infrastructure & Cloud

● AWS

● Google Cloud

● Firebase

● Supabase

● Heroku

● Cloudinary

● Upstash

● Neon/Postgres

DevOps & Tools

● GitHub

● GitLab

● NPM

● Docker

● Pusher

● Shodan

Communication & Marketing

● Slack

● SendGrid

● Resend

● Mailgun

● MailChimp

● Twilio

● Telegram

Context-Aware Validation

Environment variables are often copy-pasted incorrectly. Oracle reads the context around your key.

# Bad Configuration Example GROQ_API_KEY="AIzaSyB..." <-- This is actually a Google Key! # Oracle Result: [WARNING] Google (Labeled Groq) "This key matches Google format, not Groq (gsk_...)."

Security Architecture

Oracle uses a defense-in-depth model with strict verification semantics and production-safe defaults.

Strict Verification Levels: Every result includes verificationLevel (verified, format_only, unknown). Format-only matches are treated as unverified, not working.
Transport Security: API requests are expected over HTTPS. Optional payload encryption is available when NEXT_PUBLIC_ENCRYPTION_KEY is configured.
Privacy-Safe Leak Handling: Oracle does not send raw keys to third-party code-search providers for leak checks.
Safe Local History Defaults: Postman-style request history is disabled by default. If enabled, sensitive headers/auth fields are redacted before localStorage persistence.
No Credential Database: Oracle does not persist credentials server-side in an application database.

Legal & Terms of Service

1. Disclaimer of Warranty

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

2. Limitation of Liability

You expressly understand and agree that Oracle shall not be liable for any direct, indirect, incidental, special, consequential or exemplary damages, including but not limited to, damages for loss of profits, goodwill, use, data or other intangible losses resulting from the use or the inability to use the service.

3. Zero Retention Policy

Oracle is designed to avoid server-side credential persistence. Verification requests are processed in-memory for request handling and are not written to an Oracle credential database.

Optional payload encryption is supported when configured, and HTTPS transport is required in production. Local client-side history is user-controlled and redacted by default behavior.

4. User Responsibility

You are solely responsible for the security of your API keys. We recommend rotating any keys that you believe may have been compromised, regardless of Oracle's verification results.