IndustriesWorkPlaybookHow it worksAboutBook a systems auditBring us your idea

What is an exposed API key and why it matters?

Straight answer

An API key is a password that lets your app use a service. Exposed means it is visible somewhere the public can read it, like your code or browser. It matters because anyone who finds it can use that service as you: run up bills, read your data, or send messages in your name. It is a found password.

Information current as at 5 July 2026

Of all the security problems in AI-built apps, the exposed API key is the most common and one of the most consequential, and it is also the easiest to understand. It is a password left in public. Once you grasp what a key is and where it hides, you can find and fix the problem yourself, usually within an hour and at no cost.

Plain English
API key
A secret string that identifies your app to a service and grants it access, like a password.
Frontend
The part of your app that runs in the visitor's browser, where nothing is truly hidden.
Backend
The server-side part of your app, where secrets can be kept out of public view.
Rotate
To reset a key so the old one stops working, done when a key may be exposed.

What an API key is

Most apps do not do everything themselves. They lean on outside services: a payment processor, an email sender, a mapping service, a database, an AI model. To use one of these, your app has to prove it is allowed, and it does that with an API key, a long secret string the service issues you. Think of it as a password for a service rather than a person. When your app sends a request along with the key, the service trusts it and acts. That is convenient and normal. The danger is entirely about who else can read that key, because the service cannot tell the difference between your app using it and a stranger using the same string.

What "exposed" means and how it happens

A key is exposed when it sits somewhere the public can read it. The classic case in AI-built apps is a key written directly into the frontend code, the part that runs in the browser, where anyone can open the page source and see it. It also happens when keys are committed to a public code repository, printed into logs, or returned in a network response. AI builders produce this pattern often, because wiring a key straight into the app is the quickest way to make a feature work in a demo. Technology press reporting (XDA Developers) has described vibe-coded apps routinely shipping with exposed keys and data, which reflects how easily this slips through when the goal is a working prototype rather than a hardened product.

No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Why it matters so much

A found key is a working credential in a stranger's hands. The damage depends on what the key unlocks, and it can be serious. A payment or infrastructure key can be used to run up real charges on your account. A database key can let someone read, change or delete your records, including customer data. An email or messaging key can send messages that appear to come from you, damaging your reputation and reaching your customers. An AI service key can be drained, leaving you with the bill. The service treats the key as proof of permission, so it does exactly what it is told, whether the request came from you or from whoever found the string. This is why an exposed key is not a theoretical risk but a live one.

How to fix and prevent it

The fix has two parts. First, rotate every exposed key: go to the service, reset or regenerate the key so the old one stops working immediately, and assume the old one was seen even if you have no proof. Second, move keys off the frontend. Secrets belong in server-side settings, called environment variables, that run on your host and are never sent to the browser. Sensitive services should be called from your backend, which holds the key, rather than directly from the visitor's page. To prevent recurrence, keep a short list of every key your app uses, confirm none appear in the page source, and rotate keys whenever code is shared or a service raises a warning. This is genuinely fixable without paying anyone, though if payment or customer-data keys were exposed, a careful review of what may have been reached is worth it.

Common questions

Questions, answered

How do I check if my keys are exposed?
Open your app, view the page source, and search for words like key, secret and token. Also check the network requests in your browser developer tools. If any string that grants access to a service appears where the browser can read it, that key is exposed and needs rotating and moving server-side.
Are all keys in the frontend a problem?
Not all. Some services issue deliberately public keys, safe to appear in the browser, paired with a secret key kept server-side. The danger is a secret key, meant to stay private, ending up in the frontend. If you are unsure which kind you have, treat it as secret and check the service documentation.
A key was exposed but I see no misuse. Am I fine?
Rotate it anyway. Absence of visible misuse is not proof it was never seen, and automated tools scan public code for keys constantly. Reset the key so the exposed one is dead, then move the new one server-side. The cost of rotating is minutes; the cost of assuming safety can be much higher.
How do I stop this happening again?
Keep secrets in server-side environment variables, never in browser code, and call sensitive services from your backend. Maintain a short list of your keys and confirm none appear in the page source before each launch. Rotate any key that was ever shared or committed to a repository. Prevention is mostly a habit, not a purchase.
No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Start here

Two doors. Same senior team.

Whether you can name exactly what you want built, or you just know something is leaking, the next step is the same conversation.