Secrets
How to find exposed API keys in your code — before bots do
Automated scrapers monitor public repositories and deployed JavaScript bundles around the clock. A leaked key is typically found and abused within minutes, not days. Here's how to beat them to it.
Where keys hide in AI-built apps
- Directly in components — the AI needed a key to make the demo work, so it pasted yours in.
- In config files — a "temporary" constants file that shipped to production.
- In the deployed bundle — anything in frontend code is visible to every visitor via view-source, even if the repo is private.
- In git history — a key committed once and later "removed" is still in the history.
The search patterns
Search your project for these strings: sk_live (Stripe), sk- (OpenAI), AKIA (AWS), service_role (Supabase), AIza (Google), plus generic patterns like apiKey = and password = with quoted values. Any literal match in source code is a finding.
Fixing a found key — three steps, not one
- Move it — load the key from an environment variable on the server side
- Ignore it — make sure
.envis in.gitignore - Rotate it — generate a new key at the provider; the old one must be treated as compromised the moment it touched code
Skipping rotation is the classic mistake: removing the key from your code doesn't remove it from the scrapers that already copied it.
Automate the hunt
VibeSafe detects exposed keys across languages and providers, shows the exact line, and explains the fix — and it flags high-entropy strings that don't match known prefixes but look like secrets. Free to run, results in seconds.
3 free scans every month · Your code is never stored
Related: