Exposed API keys in AI-built apps: how to find and fix them

Secret keys vs publishable keys

Not every key in your frontend is a problem. Some are meant to be public: Stripe's pk_live key, a Supabase anon key, a Firebase web config. Those are fine in the browser by design.

The dangerous ones are SECRET keys — Stripe sk_live, OpenAI keys, AWS keys, and the Supabase service_role key. These grant real power: charging cards, spending your AI credits, or reading your entire database. If any of these are in your client-side JavaScript, treat them as stolen.

How to find them

Open your live app's JavaScript bundles (DevTools → Sources, or View Source) and search for tell-tale prefixes: 'sk_live_' (Stripe), 'sk-' (OpenAI), 'AKIA' (AWS), and JWTs containing 'service_role' (Supabase admin key).

Attackers automate exactly this — they crawl deployed apps and grep the bundles for these patterns. A scan that finds your key in seconds is a scan an attacker can run too.

The correct fix

Move the secret to the server. Create a small server route (an API endpoint or serverless function) that holds the key in a server-only environment variable and makes the third-party call on the browser's behalf. The browser calls your route; your route calls Stripe/OpenAI/etc.

Then rotate the exposed key in the provider's dashboard. Removing it from your code does not un-leak it — anyone who already grabbed it still has it until you revoke it.

Paste VibeShield's fix prompt for each finding into Cursor or Lovable and it will scaffold the server route and remove the key from the client for you.

Frequently asked questions

I rotated the key but it's still in an old deploy — is that a problem?

Rotating the key makes the old value useless, which is the point. Just make sure the new secret key never ships to the client again.

Can I just obfuscate the key instead?

No. Anything the browser can use, an attacker can extract. Obfuscation slows nobody down — the key has to live on the server.