Are your API keys exposed in public code?
Exposed API keys are the most common — and most avoidable — security mistake in modern web apps. They end up in public JavaScript bundles, GitHub repos, and error logs, where automated scanners (and curious developers) find them within hours of deployment. GetLeaked checks your public app URL for exposed credentials, free.
No signup. No code changes. Results in <60s.
How it happens
Three ways API keys end up in public code
Wrong environment variable prefix
Variables prefixed with NEXT_PUBLIC_ or VITE_ are deliberately bundled into client-side JavaScript so the browser can access them. Use these prefixes only for values that are genuinely safe to be public. API keys are never safe to be public.
Committed to a public repository
Developers accidentally commit .env files or hardcode keys during testing. Even after deletion, keys can persist in git history. Automated bots scan GitHub for credential patterns continuously.
AI code generators take shortcuts
Tools like Lovable, Bolt, v0, and Cursor write code that works — but they often generate the simplest path, which places API calls directly in the frontend with keys inline. The code runs, but so does your exposure.
Common exposed credentials
We scan for all of these — and more.
OpenAI
sk-proj-…Attackers use your key to call GPT-4, run completions, or fine-tune models at your expense.
Supabase
eyJ…Anon and service-role keys expose your database, auth system, and storage to the public.
Firebase
AIza…Combined with open security rules, leaked Firebase config gives read/write access to your data.
Stripe
sk_live_…Live Stripe keys exposed in client code let attackers create charges, read customer data, or issue refunds.
Anthropic
sk-ant-…Claude API keys in public bundles burn your quota and can be used for prompt injection attacks.
GitHub
ghp_…Personal access tokens in public code expose your repositories and potentially your organisation.
How GetLeaked scans
The same check an attacker would run — but in your hands first.
GetLeaked fetches the public JavaScript bundles that ship with your app, then runs pattern matching against known credential formats from over 30 providers. Secrets are redacted in the report — we show you what's exposed and how to fix it, not the key itself. No files are stored after the scan completes.
What the free scan covers
- Public JavaScript bundles shipped with your Next.js, Vite, or similar build
- Inline scripts embedded directly in the HTML of your public pages
- Direct browser-to-AI API calls that expose your credentials to users
- Supabase Row Level Security misconfigurations detectable from the client
- Missing rate-limit signals on publicly accessible API endpoints
No signup required. Results in under 60 seconds.
Secrets are redacted before findings leave the scan engine. Your files never leave your machine.
Building with AI tools? Lovable security scan · Bolt.new security scan