AI
AIExposureTool
Security6 min read

How to Find and Fix API Key Leaks in Your SaaS App

In 2024, a developer exposed a Google Gemini API key in a public GitHub repo and got charged $250,000 in a single weekend. Leaked Stripe secret keys have drained accounts overnight. Here's how to find and fix these leaks before they cost you.

How API Keys End Up in JavaScript Bundles

When you build a Next.js, React, or Vite app, your bundler (webpack, Vite, Rollup) compiles all your imports into JavaScript bundles. Any environment variable that starts with NEXT_PUBLIC_ or is referenced directly in client-side code gets included in those bundles — readable by anyone who opens DevTools.

The common mistake with AI-assisted coding: you ask Claude or ChatGPT to “add Stripe integration” and the AI generates code that uses process.env.STRIPE_SECRET_KEY in a client component. Your bundler bakes the key directly into _next/static/chunks/app.js. Everyone can read it.

The 17 Keys We Scan For

Our security scanner checks HTML source and all JavaScript bundle files for these patterns:

Stripe secret keys (sk_live_...)
Stripe webhook secrets (whsec_...)
OpenAI API keys (sk-...)
Anthropic/Claude keys
Google Gemini keys
Supabase service role keys
Razorpay keys
AWS access keys
Twilio auth tokens
SendGrid API keys
GitHub personal access tokens
Slack bot tokens
Mailgun API keys
HubSpot API keys
Cloudflare API tokens
Intercom API keys
Braintree access tokens

How to Find Leaks Right Now

Option 1: Use our free scanner — paste your URL at aiexposuretool.com. We fetch all your JS bundles and scan for all 17 patterns automatically. Results in 15 seconds.

Option 2: Manual check — open your site in Chrome, open DevTools → Sources → look for files in _next/static/chunks/. Use Ctrl+F to search for sk_live, sk-, service_role.

How to Fix API Key Leaks

Step 1: Rotate the key immediately. Go to your provider (Stripe, OpenAI, etc.) and generate a new key. Revoke the old one. Do this before anything else — assume the key has already been compromised.

Step 2: Move the key to server-side only. In Next.js, any variable used in a Route Handler, Server Component, or Server Action is server-side only. Never prefix secret keys with NEXT_PUBLIC_.

Step 3: Create a server-side API wrapper. If you need to call an external API from the frontend, create a Next.js Route Handler (/api/your-endpoint) that makes the external call server-side and returns only what the client needs.

Step 4: Audit your .env files. Make sure .env.local and .env.production are in your .gitignore. Run a search in your repo for sk_live or your actual key values.

Prevent Leaks Going Forward

  • Use a secret scanning tool in CI (GitHub has native secret scanning for public repos)
  • Never use NEXT_PUBLIC_ prefix for any key that isn't safe for public consumption
  • Run our security scanner before every major release
  • Set up .env file exposure alerts — we check if your .env is publicly accessible

Scan your site for key leaks right now

Free. 15 seconds. Checks HTML source and all JavaScript bundles.

Run free security scan →
How to Find and Fix API Key Leaks in Your SaaS App | AIExposureTool Blog