API Keys

Fix Exposed API Keys with AI Prompts

January 2026AI Fix Prompts
Share

TL;DR

These prompts help AI tools find and fix hardcoded API keys in your codebase. They'll move secrets to environment variables, create proper .env files, and update your code to use the secure approach. Copy the prompt that matches your situation and paste it into your AI assistant.

Quick Fix Prompt

Use this general-purpose prompt to find and fix all exposed API keys in your project:

General API Key Fix

Scan this codebase for any hardcoded API keys, secrets, or credentials. For each one you find:

  1. Identify the file and line number
  2. Create an environment variable with a descriptive name
  3. Update the code to use the environment variable
  4. Add the variable to a .env.example file with a placeholder value
  5. Make sure .env is in .gitignore

Look for patterns like:

  • API keys (sk_live, pk_live, api_key, apiKey)
  • Database connection strings
  • JWT secrets
  • OAuth client secrets
  • Any string that looks like a credential

Show me the changes needed and explain why each secret needs to be moved.

Framework-Specific Prompts

Next.js / React

Use when: You have a Next.js or React app with hardcoded keys in your components or API routes.

Next.js API Key Fix

I have hardcoded API keys in my Next.js app that need to be moved to environment variables.

Please:

  1. Find all hardcoded secrets in the codebase
  2. For client-side code, use NEXT_PUBLIC_ prefix for keys that must be exposed
  3. For server-side only keys, use regular env var names
  4. Update next.config.js if needed for environment variable configuration
  5. Create .env.local.example with placeholder values
  6. Update any API routes to use process.env

Important: Only use NEXT_PUBLIC_ for keys that absolutely must be in the browser. Most API keys should stay server-side only.

Show me which keys are safe for client-side and which must stay server-only.

Node.js / Express

Use when: You have a Node.js backend with hardcoded credentials.

Node.js API Key Fix

Fix the hardcoded API keys in my Node.js/Express application.

Please:

  1. Scan all files for hardcoded secrets
  2. Install dotenv if not already present
  3. Create a config file that loads environment variables with validation
  4. Update all files to import from the config
  5. Create .env.example with all required variables
  6. Add .env to .gitignore if missing

The config should throw clear errors if required environment variables are missing at startup, not at runtime when the API is called.

Python / Django / Flask

Use when: You have Python code with hardcoded API credentials.

Python API Key Fix

My Python application has hardcoded API keys that need to be secured.

Please:

  1. Find all hardcoded credentials in .py files
  2. Use python-dotenv or the appropriate method for my framework
  3. Create a settings/config module that loads and validates env vars
  4. Update imports throughout the codebase
  5. Create .env.example with placeholder values
  6. Ensure .env is in .gitignore

For Django, use django-environ or similar. For Flask, use the standard pattern. Include type hints and validation where appropriate.

Specific Service Prompts

Stripe Keys

Fix Stripe Keys

I have Stripe API keys hardcoded in my application. Fix this security issue.

Requirements:

  1. Find all Stripe keys (sk_live_, sk_test_, pk_live_, pk_test_)
  2. Move secret keys to server-side environment variables only
  3. Publishable keys can use NEXT_PUBLIC_ or equivalent if needed client-side
  4. Never expose secret keys (sk_) to the client
  5. Create separate env vars for test and live modes
  6. Update Stripe initialization to use env vars

Naming convention:

  • STRIPE_SECRET_KEY (server only)
  • STRIPE_PUBLISHABLE_KEY or NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY
  • STRIPE_WEBHOOK_SECRET (server only)

OpenAI / AI Service Keys

Fix OpenAI/AI Keys

I have OpenAI (or other AI service) API keys exposed in my code. These keys can rack up costs quickly if stolen.

Please:

  1. Find all AI service API keys (OpenAI, Anthropic, etc.)
  2. Move them to server-side environment variables
  3. NEVER expose these keys to the client
  4. Create an API route or backend endpoint for AI calls
  5. Add rate limiting to prevent abuse
  6. Update the client to call your API instead of the AI service directly

These keys must be server-side only. If you find any in client-side code, create a backend proxy.

Database Connection Strings

Fix Database Credentials

My database connection strings are hardcoded. Fix this and set up proper configuration.

Please:

  1. Find all database URLs and credentials
  2. Move to DATABASE_URL environment variable
  3. Support different databases for development and production
  4. Update ORM configuration (Prisma, Drizzle, or other)
  5. Add connection string validation at startup
  6. Create .env.example with placeholder URLs

For Prisma, update schema.prisma to use env("DATABASE_URL"). For Drizzle, update the config file appropriately.

Important: After moving API keys to environment variables, you should rotate the exposed keys immediately. Anyone who saw your code could have copied them. Generate new keys from your service provider's dashboard.

Verification Prompt

After fixing your keys, use this prompt to verify no secrets remain:

Verify No Secrets Remain

Scan this entire codebase and confirm no secrets are still hardcoded.

Check for:

  1. API keys (any string starting with sk_, pk_, api_, key_)
  2. Connection strings with passwords
  3. JWT secrets
  4. OAuth credentials
  5. Any 32+ character random strings that could be secrets

For each potential secret found, tell me:

  • File and line number
  • What type of secret it appears to be
  • Whether it's actually a secret or a false positive

Also verify:

  • .env is in .gitignore
  • .env.example exists with placeholder values
  • No .env file is committed to git

Pro tip: Run git log -p | grep -i "api_key\|secret\|password" to check if secrets were ever committed to your git history. If they were, you'll need to remove them from history too.

How do I use these prompts to fix exposed API keys?

Copy the prompt that matches your situation, paste it into your AI coding tool (Cursor, Claude, or ChatGPT), and let it generate the fix. The prompts include context so the AI understands the security requirements.

Will these prompts work with any programming language?

Yes, these prompts work with JavaScript, TypeScript, Python, and most other common languages. The AI will adapt the solution to your specific codebase and framework.

What should I do after moving API keys to environment variables?

After moving keys, you should rotate the exposed keys immediately since they may have been compromised. Also add the .env file to your .gitignore to prevent future exposure.

Do I need to remove secrets from my git history?

If your repository is public or was ever public, yes. Secrets in git history can still be accessed even after you delete the file. Use git filter-branch or BFG Repo-Cleaner to remove them from history.

Related Articles

Move Secrets to Environment Variables

Complete env var migration prompts

Rotate Compromised Credentials

Emergency credential rotation guide

Add Proper .gitignore

Prevent future secret commits

Find All Your Exposed Secrets

Scan your repository to discover every exposed API key automatically.

Start Free Scan
AI Fix Prompts

Fix Exposed API Keys with AI Prompts