Step-by-Step Guide
6 steps

How to Fix API Key Exposure in v0 Apps

v0 generates Next.js code that may include API keys inline. Since v0 apps deploy to Vercel, you have access to Vercel environment variables to properly store secrets. This guide covers finding and fixing every exposed key in your v0 project.

Scan Your App Now

Find security issues automatically before attackers do.

Follow These Steps

1

Search for exposed keys in generated code

Check all files, especially API routes and utility functions, for hardcoded credentials.

Code Example
grep -rn "sk-\|api_key\|apiKey\|Bearer.*sk\|secret" app/ lib/ --include="*.ts" --include="*.tsx"
2

Rotate compromised keys at each provider

Generate new API keys immediately. Old keys visible in client code are compromised.

3

Add secrets to Vercel environment variables

Go to your Vercel project Settings > Environment Variables and add each secret.

Code Example
# In Vercel dashboard:
# OPENAI_API_KEY = sk-proj-new-key (Production + Preview)
# STRIPE_SECRET_KEY = sk-live-new-key (Production only)
# DATABASE_URL = postgresql://... (Production only)

# For local dev, create .env.local
OPENAI_API_KEY=sk-proj-new-key

Mark sensitive variables as "Sensitive" in the Vercel dashboard to hide them from logs.

4

Replace hardcoded keys with process.env references

Update all API route files to use environment variables.

Code Example
// Before
const openai = new OpenAI({ apiKey: 'sk-proj-old-key' })

// After
const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY! })
5

Ensure no NEXT_PUBLIC_ prefix on secrets

Verify that secret keys are not accidentally exposed to the client via the NEXT_PUBLIC_ prefix.

Code Example
# This should return no results for secrets
grep -rn "NEXT_PUBLIC_.*SECRET\|NEXT_PUBLIC_.*KEY.*sk" .env* app/ lib/
6

Deploy and scan

Push your changes and run a VAS scan to confirm no secrets remain in the client bundle.

What You'll Achieve

All exposed API keys are rotated and stored in Vercel environment variables. Your v0 app accesses secrets only through server-side code, keeping them safe from browser exposure.

Common Mistakes to Avoid

Mistake

Setting secrets in .env but not in Vercel dashboard

Fix

Local .env files do not deploy to Vercel. Add all production secrets through the Vercel project settings.

Mistake

Using NEXT_PUBLIC_ prefix for API secret keys

Fix

NEXT_PUBLIC_ embeds the variable in the browser bundle. Remove the prefix for any secret keys.

Frequently Asked Questions

Does v0 expose API keys by default?

v0 generates code that may include inline API keys if you provided them during generation. Always review generated code for hardcoded credentials before deploying.

Are Vercel environment variables secure?

Yes. Vercel encrypts environment variables at rest and only injects them into your serverless functions at runtime. Variables without NEXT_PUBLIC_ prefix are never sent to the browser.

Related Guides

Secure Your v0 AppDeploy v0 SecurelySecure Environment VariablesAPI Key Rotation Guide

Ready to Secure Your App?

VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.

Start Security Scan