What Happens If Your API Key Is Leaked?

What this problem means

Your API key—OpenAI, AWS, Stripe, or any third-party—ended up somewhere it shouldn't. Maybe in frontend code, a public repo, or a log. Bots scrape for these keys within hours. Once exposed, attackers use your key to rack up bills, abuse your API, or access data.

Why this is dangerous

- Cost explosion: A single leaked key can generate thousands in bills overnight.

- Data access: Keys with read permissions expose customer or internal data.

- Reputation: Breaches and unexpected bills damage trust with users and investors.

Real-world example

A startup embedded their OpenAI API key in a client-side app. Within 48 hours, the key was scraped and used to generate $82,000 in API charges. The startup had no rate limits, no per-user quotas, and no alerts. They discovered the breach when the invoice arrived.

How to fix it

1. Rotate immediately: Revoke the key in your provider's dashboard and create a new one.

2. Find the source: Check frontend code, git history, logs. Remove the key from everywhere.

3. Move to backend: All API calls must go through a backend. The frontend never touches the key.

4. Set up alerts: Billing alerts, rate limits, and usage monitoring.

5. Document: Update your architecture so this doesn't happen again.

Tools and configurations

- Provider dashboards: Revoke and rotate keys.

- git-secrets: Prevents committing secrets.

- Backend proxy: Node.js, Python, or serverless functions.

- Billing alerts: Set up with your provider.

Common mistakes

- Delaying rotation because "we'll fix it later."

- Not removing the key from git history (use BFG or git-filter-repo).

- Putting keys in frontend code again.

Quick checklist

- [ ] Rotate the key immediately

- [ ] Remove key from all code and git history

- [ ] Move API calls to a backend proxy

- [ ] Set up billing alerts and rate limits

- [ ] Document the new architecture