All posts

March 24, 2026 · SafeToShip Team

Why Your Vibe-Coded App Might Be Leaking Secrets

AI tools like Lovable, Bolt, and Cursor make it easy to ship fast. They also make it easy to accidentally expose API keys, database credentials, and tokens in your client-side code.

You asked your AI to build a full-stack app. It wrote the backend, connected the database, added Stripe payments, and deployed it. The whole thing took 20 minutes.

But here is the problem: your API keys might be visible to every single visitor.

How secrets end up in your browser

When AI tools generate code, they optimize for getting things working. That often means putting API keys directly where they are used, including in client-side JavaScript files that anyone can read.

Here are the most common patterns we see:

Supabase service role keys

The Supabase anon key is meant to be public. The service role key is not. But AI-generated code frequently uses the service role key in client components because it "just works" without Row Level Security getting in the way.

If your service role key is in a client-side bundle, anyone can bypass all your RLS policies and read, write, or delete anything in your database.

OpenAI and Anthropic API keys

AI tools love to call AI APIs, and they sometimes put the API key right in the fetch call. If that fetch happens in a client component, the key is visible in your browser's Network tab. Someone could run up thousands of dollars on your account overnight.

Stripe secret keys

Your Stripe publishable key (pk_live_) is meant to be public. Your secret key (sk_live_) is not. We have scanned apps where the secret key was embedded in a client-side checkout flow, giving attackers full access to refund orders, create charges, and read customer data.

How to check right now

The fastest way to check: open your deployed app in Chrome, press Ctrl+U (or Cmd+U on Mac) to view source, and search for common key prefixes:

  • sk- (OpenAI)
  • sk-ant- (Anthropic)
  • sk_live_ (Stripe secret)
  • AKIA (AWS)
  • service_role (Supabase)

If you find any of these, rotate the key immediately and move the API call to a server-side route.

Or let us check for you

SafeToShip scans your client-side JavaScript for leaked secrets, hardcoded tokens, and high-entropy strings that look like credentials. We check for 20+ key patterns across all major providers.

It takes 60 seconds, checks 10 security modules, and your first scan is always free.

The fix is usually simple

In most cases, the fix is moving your API call from a client component to a server action or API route. Your AI tool can do this for you. Just paste the fix prompt from your SafeToShip report and it will restructure the code to keep secrets on the server.

The important thing is knowing the problem exists. Most vibe coders we talk to had no idea their keys were exposed until they ran a scan.

Scan your app now

Find security issues in 60 seconds. Your first scan is free.