diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1032b19..24e27b2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
 ## [v1.96.0]
 - Added live HTTP validation for 18 rules across 15 providers: Val Town, Polar, hCaptcha, Thunderstore, Elastic Cloud (2 rules), LlamaCloud, Gemfury (2 rules), Vonage, ThingsBoard, Zapier, Facebook Access Token, GitLab Session Cookie, PostHog Feature Flags, Unkey API Key, and Hop.io (2 rules).
 - Added revocation support for 7 rules across 6 providers: Discord webhooks (single-step DELETE), DigitalOcean PATs (self-revoke via OAuth), and multi-step HttpMultiStep revocation for LaunchDarkly, Resend, Linode, and Netlify (2 rules). Built-in revocation coverage is now 34 provider families with 53 revocation-enabled rules.
-- Added 59 new detection rules across 44 providers: Axiom (API token + PAT), Trigger.dev (secret key + PAT), Dub.co, Svix webhook signing secret, Liveblocks, Inngest (signing key + event key), Seam, Courier, Cal.com, Arcjet, WarpStream, Mem0, Mintlify, Pirsch, Tinybird, Tolgee (project key + PAT), Ory (API key + session + OAuth2 tokens), Xendit, Xata, Crossmint (server + client keys), DeepL (Free + Pro), Flagsmith, E2B, Infisical, WooCommerce (consumer key + secret), Nightfall AI, Ramp (client ID + secret), Hex.pm (personal + workspace tokens), Convex deploy key, MiniMax, Mappedin (key + secret), Pollinations (secret + publishable), Fal.ai, Aikido, Hack Club, GuardSquare, Browser Use, Composio, Mastra, redirect.pizza, Upstash, and WorkOS. Also added new prefixed-token rules for Netlify (`nfp_`), Cloudflare (`cfut_`), and Supabase (`sb_publishable_`). Added live HTTP validation for 28 of these rules.
+- Added 61 new detection rules across 46 providers: Axiom (API token + PAT), Trigger.dev (secret key + PAT), Dub.co, Svix webhook signing secret, Liveblocks, Inngest (signing key + event key), Seam, Courier, Cal.com, Arcjet, WarpStream, Mem0, Mintlify, Pirsch, Tinybird, Tolgee (project key + PAT), Ory (API key + session + OAuth2 tokens), Xendit, Xata, Crossmint (server + client keys), DeepL (Free + Pro), Flagsmith, E2B, Infisical, WooCommerce (consumer key + secret), Nightfall AI, Ramp (client ID + secret), Hex.pm (personal + workspace tokens), Convex deploy key, MiniMax, Mappedin (key + secret), Pollinations (secret + publishable), Fal.ai, Aikido, Hack Club, GuardSquare, Browser Use, Composio, Gamma, Hex.tech, Mastra, redirect.pizza, Upstash, and WorkOS. Also added new prefixed-token rules for Netlify (`nfp_`), Cloudflare (`cfut_`), and Supabase (`sb_publishable_`). Added live HTTP validation for 30 of these rules.
 - Removed 17 direct dependencies from the root crate by dropping unused deps (`p256`, `ed25519-dalek`, `jsonwebtoken`, `gitlab`, `lazy_static`, `base32`, `pem`, `byteorder`, `reqwest-middleware`, `sha1`, `time`, `ring`, `num_cpus`, `strum_macros`), replacing `once_cell` with `std::sync::{LazyLock, OnceLock}`, and using `std::thread::available_parallelism()` in place of `num_cpus`. Salt generation now uses `rand` instead of `ring`, and all `strum_macros::Display` imports are consolidated under `strum::Display`.
 
 ## [v1.95.0]
diff --git a/crates/kingfisher-rules/data/rules/gamma.yml b/crates/kingfisher-rules/data/rules/gamma.yml
new file mode 100644
index 0000000..de8948f
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/gamma.yml
@@ -0,0 +1,37 @@
+rules:
+  - name: Gamma API Key
+    id: kingfisher.gamma.1
+    pattern: |
+      (?x)
+      \b
+      (
+        sk-gamma-
+        [A-Za-z0-9_-]{8}
+        (?:[A-Za-z0-9_-]{8}){3,7}
+      )
+      \b
+    confidence: medium
+    min_entropy: 3.5
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://public-api.gamma.app/v1.0/themes?limit=1
+          headers:
+            X-API-KEY: "{{ TOKEN }}"
+            Accept: application/json
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: WordMatch
+              words:
+                - '"data"'
+                - '"hasMore"'
+              match_all_words: true
+    references:
+      - https://developers.gamma.app/readme
+      - https://developers.gamma.app/docs/workspace/list-themes
+    examples:
+      - 'GAMMA_API_KEY="sk-gamma-a1b2c3d4E5f6g7h8I9j0k1l2M3n4o5p6"'
diff --git a/crates/kingfisher-rules/data/rules/hex.yml b/crates/kingfisher-rules/data/rules/hex.yml
new file mode 100644
index 0000000..7d29fd1
--- /dev/null
+++ b/crates/kingfisher-rules/data/rules/hex.yml
@@ -0,0 +1,40 @@
+rules:
+  - name: Hex Technologies API Token
+    id: kingfisher.hex.1
+    pattern: |
+      (?xi)
+      \b
+      (
+        hxt[wp]_
+        [a-f0-9]{16}
+        (?:[a-f0-9]{16}){5}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 12
+    confidence: medium
+    min_entropy: 3.5
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://app.hex.tech/api/v1/projects?limit=1
+          headers:
+            Authorization: "Bearer {{ TOKEN }}"
+            Accept: application/json
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+            - type: WordMatch
+              words:
+                - '"values"'
+                - '"pagination"'
+              match_all_words: true
+    references:
+      - https://learn.hex.tech/docs/api-integrations/api/overview
+      - https://learn.hex.tech/docs/api-integrations/api/reference
+    examples:
+      - "HEX_API_TOKEN=hxtp_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+      - "HEX_WORKSPACE_TOKEN=hxtw_fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210"