Step-by-Step Guide
6 steps

How to Fix API Key Exposure in Railway Apps

Railway apps may have API keys hardcoded in source files or committed to git. Since Railway is typically used for backend services, exposed keys could give attackers access to databases, payment systems, and third-party APIs. This guide covers finding and fixing every exposed credential.

Scan Your App Now

Find security issues automatically before attackers do.

Follow These Steps

1

Search for hardcoded secrets

Scan your codebase for API keys, passwords, and connection strings.

Code Example
grep -rn "sk-\|password.*=\|apiKey\|secret\|DATABASE_URL.*=.*postgresql" src/ --include="*.ts" --include="*.js" --include="*.py"
2

Rotate all compromised credentials

Generate new keys at each provider. If secrets were in git history, they are compromised.

3

Add secrets to Railway Variables

Use the Railway dashboard or CLI to set environment variables for your service.

Code Example
# Via Railway CLI
railway variables set OPENAI_API_KEY=sk-proj-new-key
railway variables set STRIPE_SECRET_KEY=sk-live-new-key

# Or use Railway dashboard > Service > Variables tab
# Variables are encrypted and injected at runtime
4

Use Railway variable references for database URLs

Railway provides automatic variable references for linked services.

Code Example
# In Railway dashboard, use references:
# DATABASE_URL = ${{Postgres.DATABASE_URL}}
# REDIS_URL = ${{Redis.REDIS_URL}}

# These auto-update if the service changes
5

Update code to use environment variables

Replace all hardcoded values with process.env references.

Code Example
// Before
const stripe = new Stripe('sk-live-hardcoded-key')

// After
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!)
if (!process.env.STRIPE_SECRET_KEY) {
  throw new Error('STRIPE_SECRET_KEY environment variable is not set')
}
6

Deploy and verify

Deploy your updated code on Railway and verify the application works with environment variables.

Railway automatically redeploys when you push code or change variables.

What You'll Achieve

All credentials are stored in Railway Variables, code references environment variables instead of hardcoded values, and compromised keys have been rotated. Your Railway deployment is properly secured.

Common Mistakes to Avoid

Mistake

Hardcoding database connection strings

Fix

Use Railway variable references like ${{Postgres.DATABASE_URL}} for linked services. They auto-update and are injected securely.

Mistake

Committing .env files to git

Fix

Add .env to .gitignore. Use Railway Variables for production secrets. .env files are only for local development.

Frequently Asked Questions

Are Railway Variables encrypted?

Yes. Railway encrypts environment variables at rest and injects them securely at runtime. They are not visible in build logs by default.

Can I share variables across Railway services?

Yes. Railway supports shared variables at the project level and variable references like ${{ServiceName.VAR_NAME}} to share values between linked services.

Related Guides

Secure Your Railway AppDeploy Railway SecurelySecure Environment VariablesSecure Database Connections

Ready to Secure Your App?

VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.

Start Security Scan