diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 000000000..9a419bdb6
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,22 @@
+# gitleaks config — straw
+#
+# Straw is a YouTube Android client. Patterns flagged:
+#  - SharedPreferences key constants (KEY_SB_CATS, REQUEST_KEY) — identifier
+#    strings, not credentials
+#  - GOOGLE_API_KEY in PoTokenWebView.kt — the InnerTube public API key
+#    every YouTube client (web, Android, iOS, NewPipe, all forks) ships
+#    hardcoded. Public-by-design; YouTube enforces auth via other channels
+#    (visitor data, po_token).
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Public InnerTube API key + SharedPreferences key-name constants"
+regexTarget = "line"
+regexes = [
+    # InnerTube hardcoded key, public on every YouTube client
+    '''GOOGLE_API_KEY\s*=\s*"AIza[A-Za-z0-9_-]{35}"''',
+    # SharedPreferences keys — identifier string, not a credential
+    '''(private\s+)?(const\s+val|val|var|final\s+(static\s+)?String)\s+(KEY|REQUEST_KEY|PREF_KEY)_[A-Z_]+\s*=''',
+]