OpenAI keys, Stripe secret keys, Supabase service-role keys — AI builders put them straight into frontend code constantly, because it’s the shortest path to a working demo. Anyone can open DevTools and read them. Five-minute check, then the proper fix.
Scrapers harvest keys from public bundles and GitHub within hours and resell the capacity. The bill is usually how people find out.
If you can see it, so can everyone. The browser bundle is public by definition — that’s what shipping a frontend means.
OpenAI and Stripe scan public repos and traffic patterns. If they noticed, assume others noticed first.
A leaked Stripe secret or service-role key isn’t a cost problem — it’s full account control. Treat it as an incident, not a bug.
Calling OpenAI from the browser takes four lines; doing it properly needs a server route. Guess which one the model reaches for when you say 'add AI to my app'.
Anything prefixed VITE_ or NEXT_PUBLIC_ is compiled into the public bundle by design. The AI knows the prefix makes the variable work — not that it makes it public.
The key works from the browser. The app runs. Every incentive during prompting says done — the cost arrives weeks later on someone else's schedule.
Ones designed for it: Supabase anon key (with RLS on), Stripe publishable key, analytics IDs. The test is the name — anything called secret, service or private is not frontend material, ever.
You've stopped the bleeding. If the code still calls providers from the browser, the new key ships in the next build. The server-side refactor is the actual fix — rotation buys the time to do it.
Almost certainly — harvested keys are resold within hours. Rotate, set a hard usage cap, and check the usage log to bound the damage window.
Yes. Git history is part of the repo; anyone who cloned or forked it has the key. Rotation is the only fix history allows.
Yes — key hygiene is part of every rescue's security pass: found, rotated, moved server-side and gated, with the pre-deploy check installed so it stays fixed.
Key exposure is checked in every triage — found, rotated and refactored server-side as part of the security pass.
43+ happy clients · rated 4.9/5 · senior engineers on every build