Did I Expose My API Key?
If your API key is in your frontend code, committed to a public GitHub repo, or pasted in a chat interface — yes, it is exposed. Immediately rotate the key, check for unauthorized usage, and move the key to a secrets manager or environment variable.
Why this matters
API key exposure is the most common security mistake for builders using AI tools. Lovable, Bolt, Replit, and Cursor all generate code that interacts with external APIs — and AI-generated code sometimes hardcodes keys or places them in client-side files.
What's at stake
An exposed API key can be used to run up charges on your account, access your data, send requests on your behalf, or abuse connected services. Some services charge by usage with no cap — a leaked key can cost thousands.
Step by step.
Check if your key is exposed
Search your codebase for the key value. Check frontend files, .env files committed to git, chat logs in AI tools, and public GitHub repositories. Services like GitHub automatically scan for known API key patterns and may alert you.
Rotate the exposed key immediately
Go to the API provider's dashboard and generate a new key. Revoke or delete the old key. Do this before anything else — every minute an exposed key is active is a risk.
Check for unauthorized usage
Review your API provider's usage logs and billing dashboard. Look for unexpected requests, spikes in usage, or charges you did not authorize. If you find unauthorized activity, contact the provider's support immediately.
Move the key to a secrets manager
Store the new key in your platform's secrets feature — not in code files.
Prevent future exposure
Add .env to your .gitignore file. Enable GitHub secret scanning on your repository. Never paste API keys directly into AI chat interfaces — describe what you need and let the tool prompt you for the key through its secure UI.
Catch exposed keys before they cause damage
- Automated API key exposure detection in your deployed app
- Pre-launch security checks that flag hardcoded secrets
- Incident response guidance if a key is compromised
Keep learning.
Related guides
Frequently asked questions.
Search your codebase for the key string. Check if your .env file is committed to git (run git log --all -- .env). View your repo on GitHub — if it is public, your key may already be indexed by bots. GitHub also scans for known key patterns and will alert you.
Yes, as long as .env is in your .gitignore and never committed to version control. For deployment, use your hosting platform's environment variables or secrets manager — never deploy .env files directly.
Lovable detects API keys pasted in chat and warns you, but the key may still be in the chat history. Rotate the key immediately and use the platform's Secrets feature instead. For Bolt, add keys through Project Settings, not the chat.
The Supabase anon key is designed to be public and respects RLS policies. An exposed anon key alone is not dangerous — but an exposed anon key combined with missing RLS policies means your data is publicly accessible.
It depends on the service. OpenAI, for example, charges by token usage. A leaked key used by bots could generate thousands of dollars in charges before you notice. Stripe secret keys could be used to issue refunds or access customer data. Always set usage limits and alerts on your API accounts.