I was doing my usual GitHub recon when I found an API key in a public repo. The key was for Azure OpenAI and it was still working. It gave access to 190+ AI models.
Here’s how I found it.
The Find
I was looking through a public repository and saw a file called appsettings.json. This is a config file used in .NET projects.
I opened it and found this:
{
"AzureOpenAI": {
"Endpoint": "https://[REDACTED].openai.azure.com",
"ApiKey": "[REDACTED]"
}
}An Azure OpenAI API key in plain text.
Testing the Key
I needed to check if it still works. I ran this curl command:
curl -s "https://[REDACTED].openai.azure.com/openai/models?api-version=2024-02-15-preview" \
-H "api-key: [REDACTED]"Got HTTP 200. The key was valid.
What I Found
The API returned a list of available models. There were 190+ of them.
Some of the models:
Chat: gpt-4o, gpt-4.1, gpt-5-mini, gpt-5-chat, claude-opus-4-5, claude-sonnet-4-5, DeepSeek-R1, Llama-4-Maverick, grok-3
Reasoning: o3-mini, o4-mini
Image: dall-e-3
Video: sora
Audio: whisper
The Problem
With this key, someone can:
- Make API calls to any of these models
- The owner of the key pays for everything
Done
I Found the key, tested it, reported it. That’s it.
FOUND DATE: Jan 19, 2026