Built with Bolt? Let's make sure your keys aren't public.
Bolt.new is one of the fastest ways to build and ship a web app. But speed comes at a cost: AI-generated code frequently places API keys, database credentials, and auth tokens in places where any visitor can find them. GetLeaked runs a free public scan on your Bolt app URL and shows you exactly what's exposed — before someone else does.
The Bolt.new security problem
Bolt writes code that works. It doesn't always write code that's safe.
Bolt generates functional apps by taking the most direct path from prompt to working code. That often means environment variables prefixed with VITE_ or NEXT_PUBLIC_ — both of which are bundled into your public JavaScript and visible to anyone who views your source. It's not a bug in Bolt; it's a knowledge gap between "it works" and "it's secure".
Keys in your JS bundle
VITE_ and NEXT_PUBLIC_ prefixed vars ship to the browser verbatim. Attackers scan for them automatically.
Direct AI calls from the browser
Bolt often wires the frontend directly to OpenAI. Every user request hits your key, with no rate limit.
No auth on API routes
Generated API routes frequently lack authentication gates — any visitor can call them and run up costs.
Supabase without RLS
Bolt sometimes generates Supabase queries without enabling Row Level Security, leaving your data open.
How GetLeaked helps
One URL scan. A full picture of what's visible from the outside.
Paste your deployed Bolt app URL. GetLeaked fetches and analyses the public JavaScript bundles the same way an attacker would — looking for patterns that match API keys, database credentials, and misconfigured endpoints. You get a structured report with findings, severity, evidence, and plain-English fixes.
Example finding from a Bolt app scan
OpenAI key in Vite bundle
CriticalEvidence: sk-proj-**** found in assets/index-Bx9kLm2s.js
Fix: Move to a backend route. Use OPENAI_API_KEY (no VITE_ prefix) in your server env.
No signup. No code changes. Results in <60s.
Secrets are redacted before findings leave the scan engine. Your files never leave your machine.
Also affected by this? Lovable security scan · General API key exposure check