Exposed API Keys in Lovable Apps

Lovable apps frequently contain API keys visible in the frontend JavaScript bundle. Some of these are designed to be public, but others bypass security entirely and give attackers direct database access.

Scan Your Lovable App

How It Happens

Lovable connects to Supabase by embedding the project URL and anon key directly in the frontend code. This is normal and expected since the anon key is designed to be public. The real danger emerges when the Supabase service_role key ends up in the frontend. This happens when developers paste their service_role key into Lovable's environment configuration thinking it's needed for the app to work. Lovable doesn't distinguish between public and secret keys, so the service_role key gets bundled into the client-side JavaScript where anyone can extract it. Third-party API keys for services like OpenAI, Stripe secret keys, or email providers are also commonly hardcoded. Lovable's AI generates code that calls these APIs directly from the browser instead of routing through a backend, exposing the keys to anyone who opens DevTools.

Impact

A leaked Supabase service_role key bypasses all Row Level Security policies. An attacker with this key has full read/write/delete access to every table in the database, regardless of RLS rules. This is equivalent to giving someone your database admin password. Exposed OpenAI keys result in direct financial loss as attackers use them to generate content at the key owner's expense. Stripe secret keys allow attackers to issue refunds, view customer payment data, or create fraudulent charges. Even if the exposed key has limited permissions, attackers can use it to enumerate your infrastructure and find further attack surfaces.

How to Detect

Open your Lovable app in a browser, right-click, and select View Source or open DevTools > Sources. Search for common key prefixes: "sk-" (OpenAI/Stripe secret), "service_role" (Supabase), "PRIVATE" or "SECRET" in variable names. Check the network tab while using the app. If requests to api.openai.com, api.stripe.com, or other third-party services originate from the browser (not your backend), the keys are exposed. Vibe App Scanner performs automated key detection across the full JavaScript bundle, identifying both known key formats and suspicious high-entropy strings.

How to Fix

Move all secret API keys to a backend. For Lovable apps, this means creating Supabase Edge Functions that proxy requests to third-party APIs. The Edge Function holds the secret key, and the frontend calls the Edge Function using the safe anon key. For the Supabase service_role key specifically: remove it from all frontend code immediately, rotate it in the Supabase dashboard, and ensure RLS policies are properly configured so the anon key is sufficient for normal operations. Audit your Lovable project settings and remove any secret keys from environment variables that get bundled into the frontend. Use Supabase Vault for storing secrets that Edge Functions need to access.

Code Examples

Calling OpenAI from a Lovable app

Vulnerable

// Frontend code with exposed key
const response = await fetch(
  'https://api.openai.com/v1/chat/completions',
  {
    headers: {
      'Authorization': `Bearer sk-proj-abc123...`,
    },
    body: JSON.stringify({ model: 'gpt-4', messages }),
  }
)

Secure

// Call a Supabase Edge Function instead
const { data } = await supabase.functions.invoke(
  'chat',
  { body: { messages } }
)

// Edge Function holds the secret key server-side

Frequently Asked Questions

Is the Supabase anon key safe to expose?

Yes. The Supabase anon key is designed to be public and is required for the frontend to communicate with Supabase. Security is enforced by Row Level Security (RLS) policies, not by hiding this key.

How do I know if my service_role key is exposed?

Search your app's JavaScript bundle for "service_role" or the key value itself. If you find it in any frontend file, it is exposed. Rotate it immediately in the Supabase dashboard and remove it from your Lovable project.

Can I use Lovable without exposing any keys?

You can use Lovable safely by only exposing the Supabase anon key (which is designed to be public) and routing all third-party API calls through Supabase Edge Functions that hold secret keys server-side.

Related Security Resources

Lovable XSS Lovable Missing RLS Supabase Exposed API Keys

Is Your App Vulnerable?

VAS automatically scans for exposed api keys and other security issues in Lovable apps. Get actionable results with step-by-step fixes.

Scans from $5, results in minutes.

Get Starter Scan View Pricing