critical
Security Vulnerability

API Key Exposure

Last updated: January 12, 2026

API key exposure occurs when secret credentials are hardcoded in frontend code, making them accessible to anyone who views your application's JavaScript.

Scan for This Vulnerability

What is API Key Exposure?

When developers hardcode API keys directly in source files, those keys become visible to anyone who inspects the frontend code. Attackers use automated tools to scan websites and GitHub repositories for exposed keys, which they can then use to access your services, rack up charges, or steal data.

Why It's Dangerous

This vulnerability can allow attackers to access sensitive data, compromise user accounts, or gain unauthorized control over your application. In AI-generated code, this issue is particularly common because security measures are often deprioritized in favor of rapid feature development.

Why AI Code Is Vulnerable

AI code generation tools focus on producing functional code quickly. They often generate patterns that work correctly but lack the defensive measures experienced security engineers would implement. This makes api key exposure particularly prevalent in vibe-coded applications.

Understanding the Technical Details

API Key Exposure is classified as a critical-severity vulnerability because of its potential to cause significant damage to your application and users. Understanding the technical mechanics helps you recognize and prevent this issue in your own code.

This vulnerability typically occurs when security controls are either missing entirely, improperly configured, or incorrectly implemented. In many cases, the code appears to work correctly during development and testing, but the security flaw becomes exploitable once the application is deployed and accessible to malicious actors.

Attackers actively scan for this type of vulnerability using automated tools. Once discovered, exploitation can be rapid—often within hours of your application going live. The consequences range from data theft and account takeover to complete system compromise depending on the application's architecture.

For vibe-coded applications built with platforms like Lovable, Bolt.new, Replit, or v0.dev, this vulnerability appears in roughly 20-40% of deployments according to security research. The AI-generated patterns often follow insecure defaults that require manual security hardening.

How It Happens

  • Hardcoding keys during development and forgetting to remove them
  • AI code generators including secrets in frontend code
  • Confusion about which keys are safe to expose (anon vs service keys)
  • Not using environment variables properly
  • Committing .env files to version control

Impact

Unauthorized API usage and charges (OpenAI, Stripe, AWS)

Access to third-party services under your account

Data theft through compromised database connections

Service disruption if keys are revoked

Financial liability for unauthorized usage

How to Detect

  • Search code for common key patterns (sk_, AKIA, AIza)
  • Check JavaScript bundles in browser DevTools
  • Use secret scanning tools (git-secrets, trufflehog)
  • Run VAS to automatically detect exposed keys

How to Fix

Move secrets to environment variables

Store all API keys in .env files and access via process.env.

// BAD - hardcoded
const openai = new OpenAI({ apiKey: "sk-proj-abc123..." });

// GOOD - environment variable
const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY });

Add .env to .gitignore

Never commit environment files to version control.

# .gitignore
.env
.env.local
.env.production

Move API calls server-side

Secrets should only be used in server-side code (API routes, Edge Functions).

// pages/api/generate.ts (Next.js API route)
export default async function handler(req, res) {
  const openai = new OpenAI({
    apiKey: process.env.OPENAI_API_KEY // Server-side only
  });
  // ...
}

Rotate exposed keys immediately

If a key was exposed, generate a new one and revoke the old key.

Commonly Affected Platforms

Bolt SecurityLovable SecurityReplit Securityv0 SecurityCursor SecurityWindsurf Security

Prevention Best Practices

The most effective approach to api key exposure is prevention. Implementing security measures during development is significantly easier and less costly than remediating vulnerabilities after deployment.

Security-First Development

When using AI code generation tools, always review the generated code for security implications. AI tools prioritize functionality over security, so treat all generated code as requiring security review. Establish a checklist of security requirements specific to your application type and verify each before deployment.

Continuous Security Testing

Integrate security scanning into your development workflow. Run scans after major code changes, before deployments, and on a regular schedule for production applications. Early detection of vulnerabilities reduces remediation costs and prevents potential breaches.

Defense in Depth

Never rely on a single security control. Implement multiple layers of protection so that if one control fails, others still protect your application. For example, combine authentication, authorization, input validation, and output encoding to create comprehensive protection against attacks.

Stay Informed

Security threats evolve constantly. Follow security researchers, subscribe to vulnerability databases, and monitor your dependencies for known issues. Understanding emerging threats helps you proactively protect your applications before attackers exploit new techniques.

Is Your App Vulnerable?

VAS automatically scans for api key exposure and provides detailed remediation guidance with code examples. Our scanner specifically targets vulnerabilities common in AI-generated applications.

Scans from $5, results in minutes. Get actionable results with step-by-step fix instructions tailored to your stack.

Get Starter Scan

Frequently Asked Questions

Which API keys are safe to expose in frontend code?

Only keys explicitly designed for public use are safe: Supabase anon key, Firebase client config (apiKey), and Stripe publishable key (pk_). NEVER expose: OpenAI keys (sk-), Stripe secret keys (sk_), AWS credentials (AKIA), service_role keys, or any key containing 'secret' or 'private'.

How do attackers find exposed API keys?

Attackers use automated tools that scan public websites, JavaScript bundles, GitHub repositories, and npm packages. They search for known key patterns (sk_, AKIA, AIza, etc.). Within minutes of exposure, keys can be discovered and exploited for cryptocurrency mining, spam, or data theft.

I accidentally committed an API key to git. What should I do?

1) Rotate the key immediately in the provider's dashboard, 2) Remove from code and add to .gitignore, 3) Use git-filter-repo or BFG to remove from history, 4) Force-push the cleaned history. Just deleting the file doesn't remove it from git history - attackers scan historical commits.

How can I use secret APIs from my frontend app?

Create a backend API route (Next.js API routes, Supabase Edge Functions, AWS Lambda) that makes the secret API call server-side, then call your backend from the frontend. Your backend keeps the secret, and your frontend only sees the response.

Related Vulnerabilities

Rls MisconfigurationSource Map ExposureGit Secrets Leak