Validate and analyze GCP service account key JSON files safely in your browser.
Last verified: May 2026
Security Notice: This tool runs entirely in your browser. No data is sent to any server. However, never paste production service account keys into any online tool.
Output will appear here...GCP service account key files are JSON documents containing a private key, client email, project ID, and other metadata needed for authentication. These files are high-value targets because anyone with the key can authenticate as the service account. This validator checks the structure and metadata of a key file entirely in your browser — the key never leaves your machine. It verifies the required fields exist, validates the key format, checks the project ID and client email patterns, and warns about potential issues like keys that should be rotated based on their creation date.
This validator runs entirely in your browser using client-side JavaScript. The key file contents are never sent to any server, API, or external service. You can verify this by checking your browser's network tab during validation — no outbound requests are made. That said, you should still rotate any key you suspect has been exposed and prefer workload identity federation over long-lived keys whenever possible.
Google recommends rotating service account keys every 90 days. GCP organizations can enforce this with an organization policy constraint (iam.serviceAccountKeyExpiryHours). However, the best practice is to avoid user-managed keys entirely by using workload identity federation for external workloads and attached service accounts for GCP-based workloads, which eliminates key management overhead entirely.
Your CI pipeline started failing overnight with cryptic 'invalid_grant' errors when authenticating to GCP. You suspect the service account key stored in your CI secret manager got mangled during a recent secret rotation. You paste the suspect key into the validator and immediately see 'malformed private_key — missing END PRIVATE KEY marker.' Someone trimmed the trailing newline when copying the key into the secret manager UI. You re-upload with the proper newline and CI is green again in minutes.
The validator parses the input as JSON in your browser, then checks each required field against the documented schema for GCP service account keys: type must equal 'service_account', private_key must be a PEM-formatted RSA key with valid BEGIN/END markers, client_email must match the [name]@[project].iam.gserviceaccount.com pattern, and project_id must conform to GCP project ID rules. No data leaves the browser — you can confirm this by opening DevTools' Network tab during validation.
Treat any service account key file you've ever emailed, Slacked, or stored in a non-vault location as compromised. Rotate it immediately and migrate that workload to workload identity federation — there's no safe way to 'un-leak' a long-lived key once it's been seen by another system.
The private_key_id field in a key file is the public identifier you can safely share when filing support cases. Never share private_key — it's the actual RSA private key in PEM format and grants full impersonation of the service account.
If a key file fails validation with a malformed private_key, the most common cause is a corrupted copy-paste that broke the PEM line endings. Re-download the key from GCP rather than trying to repair the PEM block.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.