Exposed API Keys in Replit Projects
Replit provides a Secrets manager for environment variables, but developers frequently bypass it by hardcoding keys directly in source files. Because Replit projects can be public by default and the source code is viewable, exposed keys are trivially discoverable.
Scan Your Replit AppHow It Happens
Replit has a built-in Secrets feature that stores environment variables securely, but many developers, especially beginners, paste API keys directly into their code. Replit's AI Agent also generates code with hardcoded keys when users include key values in their prompts. Replit projects are public by default. Anyone can view the full source code of a public Repl, including hardcoded API keys. Even when developers move keys to Secrets later, the keys remain in the code history (forks and version history) that other users may have already accessed. Another common pattern is client-side API calls. Replit's Agent often generates frontend JavaScript that calls third-party APIs directly from the browser. Even if the key is stored in Secrets, the Agent may expose it by embedding it in client-side JavaScript or HTML templates that get sent to the browser.
Impact
Exposed keys in public Repls are immediately accessible to anyone. Automated scrapers specifically target Replit for API key harvesting because of the large number of public projects with hardcoded secrets. OpenAI and other AI service keys are the most commonly exploited. Attackers use them to generate content at the key owner's expense, often running up hundreds or thousands of dollars in API charges before the key is discovered and revoked. Database connection strings (MongoDB Atlas, PlanetScale, Supabase service_role keys) give attackers direct access to production data. For Replit apps that store user information, this creates a data breach affecting every user of the application.
How to Detect
If your Repl is public, view it as a logged-out user. Search the visible source code for common key patterns: sk- (OpenAI/Stripe), mongodb+srv:// (MongoDB), postgres:// (PostgreSQL), and any long random strings in JavaScript files. Check your Replit Secrets panel to ensure all sensitive values are stored there rather than in code. Then verify that no server-side Secret values are being passed to client-side JavaScript through template rendering or API responses. Vibe App Scanner detects API keys in the deployed application by analyzing the frontend JavaScript bundle and server responses, catching keys that are exposed at runtime even if they are stored in Secrets.
How to Fix
Move all API keys to Replit's Secrets manager (the lock icon in the sidebar). Access them in Python with os.environ['KEY_NAME'] or in Node.js with process.env.KEY_NAME. Never import or require a file that contains hardcoded keys. Make your Repl private if it contains any sensitive configuration. Go to the Repl settings and toggle visibility to "Private" to prevent source code browsing. For third-party API calls, always route them through your server-side code. The frontend should call your Replit server endpoint, which then calls the external API with the secret key from Secrets. Rotate any key that was ever visible in a public Repl. Even if you have since moved it to Secrets, the old value exists in forks and caches. Generate a new key from the service provider's dashboard.
Code Examples
Using API keys in a Replit Python project
# Hardcoded in main.py (visible in public Repl)
import openai
openai.api_key = "sk-proj-abc123xyz..."# Stored in Replit Secrets, accessed via environment
import os
import openai
openai.api_key = os.environ['OPENAI_API_KEY']
# Key is stored in Replit Secrets panel, not in codeFrequently Asked Questions
Are Replit Secrets secure?
Yes, Replit Secrets are stored encrypted and are not visible in the source code view. However, if your server-side code passes a Secret value to the frontend (via an API response or HTML template), it becomes exposed to users.
Can other users see my Replit Secrets?
No. Secrets are only accessible to the Repl owner and collaborators. They are not visible when others view or fork a public Repl. However, forkers get their own empty Secrets panel and need to add their own keys.
My Repl was public with hardcoded keys. Is it too late?
You should assume the keys are compromised. Rotate all exposed keys immediately through each service provider's dashboard. Moving them to Secrets now prevents future exposure, but the old values may have been scraped already.
Related Security Resources
Is Your App Vulnerable?
VAS automatically scans for exposed api keys and other security issues in Replit apps. Get actionable results with step-by-step fixes.
Scans from $5, results in minutes.