Exposed API Keys in Bolt.new Apps
Bolt.new generates full-stack code in the browser, but secret API keys often end up in the frontend bundle. When the AI writes code to call third-party APIs, it tends to embed keys directly in the client-side code.
Scan Your Bolt AppHow It Happens
Bolt.new generates complete applications from prompts, and when users request integrations with services like OpenAI, Stripe, or database providers, the AI writes API calls with keys hardcoded directly in the source. Because Bolt runs everything in-browser during development, there is no natural separation between client and server environments. When the app is deployed, these keys ship with the frontend JavaScript bundle. Even if Bolt generates a backend API route, the AI sometimes duplicates the key on both sides or includes it in shared configuration files that get bundled into the client. Environment variables in Bolt apps are another risk area. Developers paste secret keys into .env files that the bundler exposes to the frontend through NEXT_PUBLIC_ or VITE_ prefixed variables, not understanding that these prefixes make the values publicly accessible.
Impact
Exposed secret keys give attackers direct access to paid services at the developer's expense. OpenAI keys can be used to run thousands of dollars in API calls within hours. Stripe secret keys allow attackers to view customer data, issue refunds, or create charges. Database connection strings give direct SQL access, bypassing all application-level security. Even seemingly low-risk keys can be chained together. An exposed email service key combined with user data from another vulnerability enables targeted phishing attacks against the app's users.
How to Detect
View the deployed app's source code in browser DevTools. Search for common key prefixes: sk- (Stripe/OpenAI), key- (various services), and any strings that look like API keys (long alphanumeric strings, base64 encoded values). Check .env files and configuration for variables prefixed with NEXT_PUBLIC_ or VITE_ that contain secret values. These are always exposed to the client. Vibe App Scanner automatically detects API keys in JavaScript bundles by matching known key formats and identifying high-entropy strings that are likely secrets.
How to Fix
Create a dedicated backend API layer that holds secret keys. In Bolt apps, use server-side API routes (Next.js API routes or Express endpoints) to proxy requests to third-party services. Audit all environment variables. Only variables that are truly safe to expose publicly should have the NEXT_PUBLIC_ or VITE_ prefix. Secret keys must only be available server-side. Rotate any key that has been exposed in a deployed app. Even if you remove the key from code now, it may exist in cached builds, CDN caches, or web archives. Use a secrets management approach: store keys in environment variables on your hosting platform (Vercel, Railway, etc.) without public prefixes, and access them only from server-side code.
Code Examples
Third-party API call in Bolt app
// Frontend code - key is in the browser
const openai = new OpenAI({
apiKey: 'sk-proj-abc123xyz...',
dangerouslyAllowBrowser: true
})// Server-side API route
export async function POST(req: Request) {
const { prompt } = await req.json()
const openai = new OpenAI({
apiKey: process.env.OPENAI_API_KEY // server only
})
const result = await openai.chat.completions.create({
model: 'gpt-4',
messages: [{ role: 'user', content: prompt }]
})
return Response.json(result)
}Frequently Asked Questions
Why does Bolt.new put API keys in frontend code?
Bolt generates code optimized for working quickly. The AI doesn't always distinguish between client and server contexts, especially when the user asks for a feature that requires an API call. It takes the shortest path to working code, which often means hardcoding the key.
Which Bolt.new API keys are safe to expose?
Supabase anon keys and Firebase API keys are designed to be public. All other keys (OpenAI, Stripe secret, database passwords, service_role keys) must be kept server-side only.
How do I move API keys to the server in a Bolt app?
Create API routes in your server framework (Next.js, Express, etc.) that hold the secret keys. The frontend calls your API route, which then calls the third-party service with the secret key. This way the key never reaches the browser.
Related Security Resources
Is Your App Vulnerable?
VAS automatically scans for exposed api keys and other security issues in Bolt apps. Get actionable results with step-by-step fixes.
Scans from $5, results in minutes.