Secrets
What actually happens when your API key leaks — hour by hour
Founders imagine a leaked key is a slow-burning risk. The reality is closer to a house fire. Here's the realistic timeline, and the response checklist if it happens to you.
Minutes 0–10: discovery
Scrapers continuously monitor public GitHub commits, npm packages, and deployed JavaScript bundles for key patterns. A key pushed to a public repo is typically discovered in under ten minutes. Deployed frontend bundles take longer only because they're crawled less often.
Hours 0–24: exploitation
- OpenAI keys get resold or pumped through proxy services until the quota dies — bills in the hundreds to thousands.
- Stripe keys get probed for refund and payout capabilities; even restricted keys can leak customer data via list endpoints.
- AWS keys spin up GPU instances for crypto mining — the classic $50k weekend bill.
- Supabase service_role keys read and modify your entire database, RLS bypassed.
The response checklist
- Rotate immediately — generate a new key, revoke the old one at the provider. This is minute one, not step five.
- Check the provider's usage logs for what the key did while exposed
- Set spending limits and alerts on every paid API you use
- Move the new key to environment variables — never back into code
- If user data was reachable, treat it as an incident: assess what was accessible and whether disclosure obligations apply
The cheap insurance
Scanning your code before every deploy costs seconds; a leaked key costs a weekend and sometimes a company. VibeSafe flags hardcoded keys with the exact line and fix — before the scrapers get their turn.
Scan for exposed keys free →
3 free scans every month · Your code is never stored
An honest note. VibeSafe helps catch the most common risks in AI-built apps quickly. It doesn't replace a professional security audit for high-risk applications.
Related: