How to Hide API Keys in Replit
Use Replit's built-in Secrets feature (Tools > Secrets) to store API keys. Access them as environment variables (process.env.YOUR_KEY) in server-side code only. Since December 2025, deployment secrets automatically sync with workspace secrets.
Why this matters
Replit projects can be public or private. Even with private Repls, your deployed app serves frontend JavaScript that anyone can inspect. API keys in client-side code are visible to every visitor.
What's at stake
Exposed keys on Replit are especially risky because public Repls make source code visible to everyone. Even private Repls expose frontend keys in the deployed application.
Step by step.
Open Replit Secrets
In your Repl, go to Tools > Secrets. This opens the secure key-value store for sensitive data.
Add your API key
Enter the key name (e.g., OPENAI_API_KEY) and paste the value. The secret is stored separately from your code and not visible in your Repl files.
Access the secret in server-side code
Use process.env.OPENAI_API_KEY to access the secret. This works in Node.js server files, Express routes, and server-side functions. Never import or reference secrets in frontend files.
Create a server endpoint for API calls
Instead of calling external APIs from the frontend, create a server-side endpoint that handles the API call. The server adds the API key and forwards the request.
Verify secrets are not in public files
Check that your Repl files do not contain the actual key value. If your Repl is public, verify no secrets are visible in any file. For deployed apps, check the frontend JavaScript using DevTools.
Detect exposed API keys in your Replit application
- Automated scan for hardcoded secrets in Replit projects
- Alerts when API keys are detected in frontend code
- Guide for migrating keys to Replit Secrets
Keep learning.
Frequently asked questions.
Collaborators with edit access to your Repl can view and modify secrets. Be careful who you grant edit access to. Read-only collaborators cannot see secret values.
Yes. Since December 2025, deployment secrets automatically sync with workspace secrets. Previously, you had to configure deployment secrets separately.
Replit Secrets are not exposed in public Repls — they are stored separately from your code files. However, if you hardcoded a key directly in a code file, it is visible to anyone who views the public Repl.
The Agent accesses secrets through the same process.env mechanism. The risk is if the Agent generates code that hardcodes a key value instead of referencing process.env. Always review Agent-generated code for hardcoded credentials.