Your API keys are leaking — and you don't know it

API keys leak in three ways. Most developers have experienced at least one of them.

1. Committed to a public git repo

Someone creates a .env file, puts their API keys in it, and commits it. The .env gets added to .gitignore a few commits later. The key is gone from the working tree but it lives in git history forever.

GitHub's secret scanning catches some of this automatically. But private repos that go public, old repos dusted off for new projects, and forks all create windows where the key is exposed.

2. Shipped in the frontend bundle

Anything prefixed with NEXT_PUBLIC_ in Next.js, or accessed via process.env in client-side code, ends up in the JavaScript bundle delivered to every browser. You can read it in about 10 seconds with DevTools.

Some keys are safe to be public — a Stripe publishable key, for instance, is designed to be in the frontend. Your secret key, your OpenAI key, your database password — none of those belong there.

3. Logged by your error tracker

Error tracking tools capture request context. If your API key is in a request header, URL parameter, or request body, and that request throws an error, the key might be sitting in your Sentry or Datadog dashboard. Accessible to everyone with access to that tool.

How to check

Run git log -p | grep -i "api_key\|secret\|token\|password" on your repo. Check your frontend bundle in DevTools → Sources → search for known key prefixes. Review what your error tracker captures in its request context.

Or scan your app — RepoVault checks for exposed keys as part of its 50+ check scan.