Learn
Security

How to Hide API Keys in Cursor

Cursor is a code editor — it does not store or manage API keys for your app. Use .env files locally (always add .env to .gitignore), and use your hosting platform's environment variables or secrets manager for production. Configure .cursorrules to instruct the AI never to hardcode secrets.

Why this matters

Unlike Lovable, Bolt, or Replit, Cursor does not have a built-in secrets manager. API key management depends on your project setup and deployment platform. The main risk is AI-generated code that hardcodes keys or places them in client-side files.

What's at stake

A single hardcoded API key committed to a public repo can be exploited within minutes. AI code generation sometimes suggests hardcoding for convenience — if you accept without reviewing, you deploy the vulnerability.

Step by step.

1

Create a .env file in your project root

Create a .env file and add your API keys as KEY=value pairs. For example: OPENAI_API_KEY=sk-... This file stores secrets locally during development.

2

Add .env to .gitignore immediately

Open your .gitignore file and add .env on a new line. This prevents the secrets file from being committed to version control. Do this before your first commit.

3

Configure .cursorrules to prevent hardcoded secrets

Add rules like "Never hardcode API keys or secrets — always use process.env" and "All external API calls must go through server-side code" to your .cursorrules file. This guides the AI to generate secure code.

4

Access keys only in server-side code

Use process.env.YOUR_KEY in API routes, server actions, or edge functions — never in React components or other client-side files. Framework-specific: avoid NEXT_PUBLIC_ or VITE_ prefixes for secret keys.

5

Configure your hosting platform's secrets

For deployment, add your API keys in your hosting provider's environment variables section. Vercel: Project Settings > Environment Variables. Netlify: Site Settings > Environment Variables. AWS: Parameter Store or Secrets Manager.

6

Verify no keys in your git history

Run: git log --all --diff-filter=A -- "*.env" to check if .env was ever committed. If it was, rotate all affected keys immediately — git history preserves the values even after deletion.

Detect hardcoded secrets in your Cursor-built project

  • Codebase scan for hardcoded API key patterns
  • Git history analysis for accidentally committed secrets
  • Remediation guide for moving keys to proper storage
Get started with BWORLDS

Keep learning.

Related topics

did i expose my api keyis my cursor app securecursor app security checklisthow to check if my secrets are leaked

Frequently asked questions.

No. Cursor is a code editor, not a platform. For secrets management, use .env files locally and your hosting provider's environment variables for deployment.

AI code generation can suggest hardcoding for simplicity. Configure .cursorrules to explicitly prevent this. Always review generated code for hardcoded strings that look like API keys.

Variables prefixed with NEXT_PUBLIC_ (Next.js) or VITE_ (Vite) are included in the frontend JavaScript bundle and visible to anyone. Use these prefixes only for public values like Supabase anon keys — never for secret keys.

Search your codebase for API key patterns (strings starting with sk-, key_, etc.). Check git history with: git log --all --diff-filter=A -- '*.env'. Open your deployed app and search the Sources tab in DevTools.