Is it safe to paste my service account key into a browser tool?

This validator runs entirely in your browser using client-side JavaScript. The key file contents are never sent to any server, API, or external service. You can verify this by checking your browser's network tab during validation — no outbound requests are made. That said, you should still rotate any key you suspect has been exposed and prefer workload identity federation over long-lived keys whenever possible.

How often should service account keys be rotated?

Google recommends rotating service account keys every 90 days. GCP organizations can enforce this with an organization policy constraint (iam.serviceAccountKeyExpiryHours). However, the best practice is to avoid user-managed keys entirely by using workload identity federation for external workloads and attached service accounts for GCP-based workloads, which eliminates key management overhead entirely.

GCP SA JSON Validator

IAM & SecurityGCP

Validate and analyze GCP service account key JSON files safely in your browser.

Security Notice: This tool runs entirely in your browser. No data is sent to any server. However, never paste production service account keys into any online tool.

Service Account Key JSON

Redacted Analysis JSON

Output will appear here...

About This Tool

GCP service account key files are JSON documents containing a private key, client email, project ID, and other metadata needed for authentication. These files are high-value targets because anyone with the key can authenticate as the service account. This validator checks the structure and metadata of a key file entirely in your browser — the key never leaves your machine. It verifies the required fields exist, validates the key format, checks the project ID and client email patterns, and warns about potential issues like keys that should be rotated based on their creation date.

When to Use This Tool

•Verifying a downloaded service account key file has the correct structure before using it in a CI/CD pipeline
•Checking that a key file contains all required fields (type, project_id, private_key_id, private_key, client_email) without exposing it to an external service
•Identifying whether a key file is a user-managed key versus a GCP-managed key based on its metadata
•Validating key files received from team members or third parties before importing them into secret management systems

Frequently Asked Questions

Is it safe to paste my service account key into a browser tool?: This validator runs entirely in your browser using client-side JavaScript. The key file contents are never sent to any server, API, or external service. You can verify this by checking your browser's network tab during validation — no outbound requests are made. That said, you should still rotate any key you suspect has been exposed and prefer workload identity federation over long-lived keys whenever possible.
How often should service account keys be rotated?: Google recommends rotating service account keys every 90 days. GCP organizations can enforce this with an organization policy constraint (iam.serviceAccountKeyExpiryHours). However, the best practice is to avoid user-managed keys entirely by using workload identity federation for external workloads and attached service accounts for GCP-based workloads, which eliminates key management overhead entirely.

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.