[{"data":1,"prerenderedAt":420},["ShallowReactive",2],{"blog-how-to/check-exposed-keys":3},{"id":4,"title":5,"body":6,"category":401,"date":402,"dateModified":402,"description":403,"draft":404,"extension":405,"faq":406,"featured":404,"headerVariant":407,"image":406,"keywords":406,"meta":408,"navigation":409,"ogDescription":410,"ogTitle":406,"path":411,"readTime":406,"schemaOrg":412,"schemaType":413,"seo":414,"sitemap":415,"stem":416,"tags":417,"twitterCard":418,"__hash__":419},"blog/blog/how-to/check-exposed-keys.md","How to Check for Exposed API Keys",{"type":7,"value":8,"toc":384},"minimark",[9,13,17,21,27,32,35,135,139,142,153,159,163,166,172,178,182,185,191,196,220,224,227,241,246,250,254,257,261,264,270,274,277,283,287,320,346,365],[10,11],"category-badge",{"category":12},"How-To Guide",[14,15,5],"h1",{"id":16},"how-to-check-for-exposed-api-keys",[18,19,20],"p",{},"Find leaked secrets before attackers do",[22,23,24],"tldr",{},[18,25,26],{},"TL;DR:\nSearch your codebase with grep for common key patterns. Check git history for past commits. Inspect your browser bundle and network requests. Use automated tools like GitHub secret scanning or\nCheckYourVibe\nfor continuous monitoring.",[28,29,31],"h2",{"id":30},"common-key-patterns-to-search-for","Common Key Patterns to Search For",[18,33,34],{},"API keys often follow recognizable patterns. Here are the most common ones:",[36,37,38,54],"table",{},[39,40,41],"thead",{},[42,43,44,48,51],"tr",{},[45,46,47],"th",{},"Service",[45,49,50],{},"Pattern",[45,52,53],{},"Example",[55,56,57,69,80,91,102,113,124],"tbody",{},[42,58,59,63,66],{},[60,61,62],"td",{},"Stripe Secret",[60,64,65],{},"sk_live_ or sk_test_",[60,67,68],{},"sk_test_51H...",[42,70,71,74,77],{},[60,72,73],{},"OpenAI",[60,75,76],{},"sk-",[60,78,79],{},"sk-proj-abc123...",[42,81,82,85,88],{},[60,83,84],{},"Supabase Service",[60,86,87],{},"eyJ (JWT)",[60,89,90],{},"eyJhbGciOiJIUz...",[42,92,93,96,99],{},[60,94,95],{},"AWS",[60,97,98],{},"AKIA",[60,100,101],{},"AKIAIOSFODNN7...",[42,103,104,107,110],{},[60,105,106],{},"GitHub Token",[60,108,109],{},"ghp_ or github_pat_",[60,111,112],{},"ghp_xxxx...",[42,114,115,118,121],{},[60,116,117],{},"SendGrid",[60,119,120],{},"SG.",[60,122,123],{},"SG.xxxx...",[42,125,126,129,132],{},[60,127,128],{},"Twilio",[60,130,131],{},"SK (32 chars)",[60,133,134],{},"SKxxxx...",[28,136,138],{"id":137},"method-1-search-your-source-code","Method 1: Search Your Source Code",[18,140,141],{},"Use grep to search for hardcoded keys in your project:",[143,144,149],"pre",{"className":145,"code":147,"language":148},[146],"language-text","# Search for common key patterns\ngrep -rn \"sk_live\\|sk_test\\|sk-\\|AKIA\\|ghp_\\|SG\\.\" \\\n  --include=\"*.ts\" --include=\"*.js\" --include=\"*.tsx\" --include=\"*.jsx\" .\n\n# Search for generic patterns\ngrep -rn \"api_key\\|apiKey\\|API_KEY\\|secret\\|password\" \\\n  --include=\"*.ts\" --include=\"*.js\" --include=\"*.json\" .\n\n# Exclude node_modules and other irrelevant directories\ngrep -rn \"sk_live\" --include=\"*.ts\" --exclude-dir=node_modules .\n","text",[150,151,147],"code",{"__ignoreMap":152},"",[154,155,156],"tip-box",{},[18,157,158],{},"Pro tip:\nLook for long random strings (32+ characters) that aren't obviously UUIDs or hashes.",[28,160,162],{"id":161},"method-2-check-git-history","Method 2: Check Git History",[18,164,165],{},"Keys might have been removed from current code but still exist in git history:",[143,167,170],{"className":168,"code":169,"language":148},[146],"# Search entire git history for key patterns\ngit log -p --all | grep -E \"sk_live|sk_test|api_key|AKIA\"\n\n# Search for specific file changes\ngit log -p -- .env\n\n# Check if .env files were ever tracked\ngit log --all --full-history -- \"*.env*\"\n\n# See all .env related commits\ngit log --oneline --all -- \".env*\"\n",[150,171,169],{"__ignoreMap":152},[173,174,175],"warning-box",{},[18,176,177],{},"If you find keys in git history:\nThose keys should be considered compromised. Rotate them immediately, even if you think the repo is private. Then consider cleaning your git history with\ngit filter-branch\nor BFG Repo Cleaner.",[28,179,181],{"id":180},"method-3-inspect-your-browser-bundle","Method 3: Inspect Your Browser Bundle",[18,183,184],{},"Secret keys should never appear in client-side code. Check your production build:",[143,186,189],{"className":187,"code":188,"language":148},[146],"# Build your app\nnpm run build\n\n# Search the build output\ngrep -rn \"sk_live\\|sk_test\\|sk-\\|STRIPE_SECRET\" .next/ dist/ build/\n\n# For Next.js specifically\ngrep -rn \"sk_\" .next/static/\n",[150,190,188],{"__ignoreMap":152},[192,193,195],"h3",{"id":194},"check-in-the-browser","Check in the Browser",[197,198,199,203,206,209],"ol",{},[200,201,202],"li",{},"Open your deployed site",[200,204,205],{},"Open DevTools (F12) → Sources tab",[200,207,208],{},"Press Ctrl+Shift+F (or Cmd+Shift+F on Mac) to search all sources",[200,210,211,212,215,216,219],{},"Search for ",[150,213,214],{},"sk_",", ",[150,217,218],{},"api_key",", or other patterns",[28,221,223],{"id":222},"method-4-monitor-network-requests","Method 4: Monitor Network Requests",[18,225,226],{},"Keys shouldn't be sent from the browser to third-party services:",[197,228,229,232,235,238],{},[200,230,231],{},"Open DevTools → Network tab",[200,233,234],{},"Use your app normally (login, submit forms, etc.)",[200,236,237],{},"Click on each request and check Headers and Payload",[200,239,240],{},"Look for Authorization headers or API keys in request bodies",[173,242,243],{},[18,244,245],{},"Red flag:\nIf you see secret keys (like\nsk_live_\n) being sent from the browser, your key is exposed to anyone using your site.",[28,247,249],{"id":248},"method-5-use-automated-tools","Method 5: Use Automated Tools",[192,251,253],{"id":252},"github-secret-scanning","GitHub Secret Scanning",[18,255,256],{},"Enable in repo Settings → Security → Secret scanning. GitHub will alert you when it detects exposed secrets.",[192,258,260],{"id":259},"pre-commit-hooks","Pre-commit Hooks",[18,262,263],{},"Install tools that scan before each commit:",[143,265,268],{"className":266,"code":267,"language":148},[146],"# Install detect-secrets\npip install detect-secrets\n\n# Create baseline\ndetect-secrets scan > .secrets.baseline\n\n# Add pre-commit hook\n# In .pre-commit-config.yaml:\nrepos:\n  - repo: https://github.com/Yelp/detect-secrets\n    rev: v1.4.0\n    hooks:\n      - id: detect-secrets\n        args: ['--baseline', '.secrets.baseline']\n",[150,269,267],{"__ignoreMap":152},[192,271,273],{"id":272},"cicd-scanning","CI/CD Scanning",[18,275,276],{},"Add secret scanning to your deployment pipeline:",[143,278,281],{"className":279,"code":280,"language":148},[146],"# GitHub Actions example\n- name: Scan for secrets\n  uses: trufflesecurity/trufflehog@main\n  with:\n    path: ./\n    base: main\n    head: HEAD\n",[150,282,280],{"__ignoreMap":152},[28,284,286],{"id":285},"what-to-do-if-you-find-exposed-keys","What to Do If You Find Exposed Keys",[197,288,289,296,302,308,314],{},[200,290,291,295],{},[292,293,294],"strong",{},"Rotate immediately"," - Generate a new key in the service dashboard",[200,297,298,301],{},[292,299,300],{},"Update production"," - Deploy the new key",[200,303,304,307],{},[292,305,306],{},"Revoke the old key"," - Delete it from the service",[200,309,310,313],{},[292,311,312],{},"Check for abuse"," - Review logs for unauthorized usage",[200,315,316,319],{},[292,317,318],{},"Fix the root cause"," - Move to environment variables, update .gitignore",[321,322,323,334,340],"faq-section",{},[324,325,327],"faq-item",{"question":326},"Are Supabase anon keys safe to have in client code?",[18,328,329,330,333],{},"Yes, Supabase anon keys are designed to be public. They only work with Row Level Security policies enabled. However, the ",[150,331,332],{},"service_role"," key must never be exposed.",[324,335,337],{"question":336},"What about Firebase config objects?",[18,338,339],{},"Firebase config (apiKey, authDomain, etc.) is designed to be public. It identifies your project but doesn't grant access. Your security comes from Firebase Security Rules, not hiding the config.",[324,341,343],{"question":342},"How often should I check for exposed keys?",[18,344,345],{},"Set up automated scanning to check on every commit. Additionally, do a manual review before any major release or when onboarding new team members.",[18,347,348,351,356,357,356,361],{},[292,349,350],{},"Related guides:",[352,353,355],"a",{"href":354},"/blog/how-to/hide-api-keys","How to Hide API Keys"," ·\n",[352,358,360],{"href":359},"/blog/how-to/rotate-api-keys","How to Rotate API Keys",[352,362,364],{"href":363},"/blog/how-to/secret-scanning","How to Enable Secret Scanning",[366,367,368,374,379],"related-articles",{},[369,370],"related-card",{"description":371,"href":372,"title":373},"Step-by-step guide to database encryption. Implement encryption at rest, in transit, and application-level encryption fo","/blog/how-to/database-encryption","How to Encrypt Database Data",[369,375],{"description":376,"href":377,"title":378},"Complete guide to setting up .env files for local development. Learn the dotenv package, file naming conventions, and ho","/blog/how-to/dotenv-setup","How to Set Up .env Files - Complete Guide",[369,380],{"description":381,"href":382,"title":383},"Step-by-step guide to securing your Drizzle ORM setup. Safe SQL queries, input validation, and access control patterns f","/blog/how-to/drizzle-security","How to Secure Drizzle ORM",{"title":152,"searchDepth":385,"depth":385,"links":386},2,[387,388,389,390,394,395,400],{"id":30,"depth":385,"text":31},{"id":137,"depth":385,"text":138},{"id":161,"depth":385,"text":162},{"id":180,"depth":385,"text":181,"children":391},[392],{"id":194,"depth":393,"text":195},3,{"id":222,"depth":385,"text":223},{"id":248,"depth":385,"text":249,"children":396},[397,398,399],{"id":252,"depth":393,"text":253},{"id":259,"depth":393,"text":260},{"id":272,"depth":393,"text":273},{"id":285,"depth":385,"text":286},"how-to","2026-01-07","Methods to verify your API keys aren't exposed in your codebase, git history, browser bundle, or network requests. Find leaked secrets before attackers do.",false,"md",null,"yellow",{},true,"Methods to verify your API keys aren't exposed in code or browser.","/blog/how-to/check-exposed-keys","[object Object]","HowTo",{"title":5,"description":403},{"loc":411},"blog/how-to/check-exposed-keys",[],"summary_large_image","a5mqqUNsoG3T7I5AHm0ESGyVYqIxTffMEC2k-ynAJEY",1775843928936]