How to Fix API Key Exposure in Replit Apps
Replit makes sharing and forking easy, but this means hardcoded API keys in your code can spread rapidly. If your repl is public, anyone can see your source code and extract credentials. This guide helps you migrate all secrets to Replit Secrets.
Find security issues automatically before attackers do.
Follow These Steps
Search for hardcoded credentials in your repl
Check all files for API keys, passwords, and connection strings.
# In the Replit shell
grep -rn "sk-\|api_key\|apiKey\|password\|secret\|token" . --include="*.py" --include="*.js" --include="*.ts"Check if your repl is public
Go to your repl Settings and check the visibility. If public, anyone can view your entire source code.
Even after moving secrets to Replit Secrets, consider keeping the repl private if it contains sensitive business logic.
Rotate all compromised keys
Generate new keys at each API provider. If the repl was public, the old keys are definitely compromised.
Add new keys to Replit Secrets
Click the Secrets tab in the Replit sidebar and add each key.
# Access secrets in Python
import os
api_key = os.environ.get("OPENAI_API_KEY")
# Access secrets in Node.js
const apiKey = process.env.OPENAI_API_KEY
# Access secrets in Deno
const apiKey = Deno.env.get("OPENAI_API_KEY")Replace all hardcoded values with environment variable references
Update every file that had hardcoded keys to use environment variables instead.
# Before (Python)
openai.api_key = "sk-proj-abc123"
# After (Python)
import os
openai.api_key = os.environ.get("OPENAI_API_KEY")
if not openai.api_key:
raise ValueError("OPENAI_API_KEY not set in Replit Secrets")Verify secrets are not in any files
Run a final check to confirm all hardcoded credentials have been removed.
grep -rn "sk-proj\|sk-live\|password.*=.*[\x27\x22]" . --include="*.py" --include="*.js" --include="*.ts"If no results appear, your code is clean. Run your app to verify it still works with the environment variables.
What You'll Achieve
All API keys are rotated and stored in Replit Secrets. No credentials are hardcoded in source files. Your repl is safe to share or keep public without exposing secrets.
Common Mistakes to Avoid
Mistake
Putting secrets in a config.json or .env file in the repl
Fix
Replit files are visible if the repl is public. Use the Secrets tab instead, which stores values encrypted and only available at runtime.
Mistake
Forking a repl with hardcoded keys
Fix
Forked repls inherit all files including hardcoded keys. If you forked a repl with secrets, rotate those keys immediately and move them to Secrets.
Frequently Asked Questions
Can collaborators see Replit Secrets?
Collaborators with write access can see Secrets through the dashboard. However, viewers of public repls cannot see Secrets. For sensitive projects, limit collaborator access.
Do Replit Secrets persist across deployments?
Yes. Secrets set in the Replit dashboard persist across sessions, restarts, and deployments. They are available as environment variables at runtime.
What if my repl was public and had hardcoded keys?
Assume all keys are compromised. Rotate them immediately at each provider, then move the new keys to Replit Secrets.
Ready to Secure Your App?
VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.
Start Security Scan