critical
Security Vulnerability

API Key Exposure

API key exposure occurs when secret credentials are hardcoded in frontend code, making them accessible to anyone who views your application's JavaScript.

Scan for This Vulnerability

What is API Key Exposure?

When developers hardcode API keys directly in source files, those keys become visible to anyone who inspects the frontend code. Attackers use automated tools to scan websites and GitHub repositories for exposed keys, which they can then use to access your services, rack up charges, or steal data.

How It Happens

  • Hardcoding keys during development and forgetting to remove them
  • AI code generators including secrets in frontend code
  • Confusion about which keys are safe to expose (anon vs service keys)
  • Not using environment variables properly
  • Committing .env files to version control

Impact

Unauthorized API usage and charges (OpenAI, Stripe, AWS)

Access to third-party services under your account

Data theft through compromised database connections

Service disruption if keys are revoked

Financial liability for unauthorized usage

How to Detect

  • Search code for common key patterns (sk_, AKIA, AIza)
  • Check JavaScript bundles in browser DevTools
  • Use secret scanning tools (git-secrets, trufflehog)
  • Run VAS to automatically detect exposed keys

How to Fix

Move secrets to environment variables

Store all API keys in .env files and access via process.env.

// BAD - hardcoded
const openai = new OpenAI({ apiKey: "sk-proj-abc123..." });

// GOOD - environment variable
const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY });

Add .env to .gitignore

Never commit environment files to version control.

# .gitignore
.env
.env.local
.env.production

Move API calls server-side

Secrets should only be used in server-side code (API routes, Edge Functions).

// pages/api/generate.ts (Next.js API route)
export default async function handler(req, res) {
  const openai = new OpenAI({
    apiKey: process.env.OPENAI_API_KEY // Server-side only
  });
  // ...
}

Rotate exposed keys immediately

If a key was exposed, generate a new one and revoke the old key.

Commonly Affected Platforms

Bolt SecurityLovable SecurityReplit SecurityV0 SecurityCursor SecurityWindsurf Security

Is Your App Vulnerable?

VAS automatically scans for api key exposure and provides detailed remediation guidance.

Run Security Scan

Related Vulnerabilities

Rls MisconfigurationSource Map ExposureGit Secrets Leak