Lovable apps ship fast — but are they shipping your secrets too?
Lovable, v0, and Bolt generate working apps in minutes. The tradeoff: AI tools often hardcode API keys directly into client-side JavaScript bundles, where anyone with a browser can read them. GetLeaked scans your public app URL and surfaces these leaks instantly — before they reach the wrong person.
Why this happens
AI code generators don't know your keys are secret.
When you tell Lovable to "add OpenAI integration", it writes the simplest code that works — which often means placing your API key directly in a NEXT_PUBLIC_ variable or directly in a fetch call. That code ships to your public JavaScript bundle. Every visitor to your site can open DevTools, search for sk- or eyJ, and find your credentials.
OpenAI & Anthropic keys
Found in client JS bundles. Attackers drain your credits or fine-tune on your dime.
Supabase anon + service keys
Exposed keys bypass Row Level Security and let anyone read or write your database.
Firebase credentials
Misconfigured security rules plus a leaked config mean open read/write on your data.
What GetLeaked does
Paste your Lovable app URL. Get a security report in under 60 seconds.
GetLeaked fetches your app's public JavaScript bundles, scans them for leaked credentials, exposed tokens, direct AI API calls, and missing rate limits. No signup required. No code changes. No uploads. Just paste the URL and read the report.
What the scan checks
- API keys in public JavaScript bundles (OpenAI, Anthropic, Supabase, Firebase, Stripe)
- Direct browser-to-AI calls that expose your credentials and invite abuse
- Supabase RLS misconfigurations that make your database readable by anyone
- Missing rate limits on AI endpoints that could drain your budget overnight
- Secrets in error responses, logs, or public console output
No signup. No code changes. Results in <60s.
Secrets are redacted before findings leave the scan engine. Your files never leave your machine.
Also affected by this? Bolt.new security scan · General API key exposure check