Exposed Anthropic key on Next.js
Your Anthropic API key (starts with `sk-ant-`) is in your client bundle. Key scrapers find these as fast as OpenAI keys and use them to run Claude on your bill. Fix: revoke in Anthropic Console, set a usage limit, and move every Claude call to server-side code. Use the Vercel AI Gateway or your own Route Handlers so the key never reaches the browser.
The fix for Next.js
Next.js + AI SDK
Use the AI SDK and call Claude via the Gateway.
// app/api/chat/route.ts
import { streamText } from 'ai';
export async function POST(req: Request) {
const { messages } = await req.json();
const result = streamText({
model: 'anthropic/claude-haiku-4-5-20251001',
messages,
});
return result.toTextStreamResponse();
}Why it matters
Claude billing is not capped by default. A leaked key running Opus models costs hundreds of dollars per hour. Same threat profile as an OpenAI leak.
Confirm the fix worked
Scan your Next.js site to confirm this finding is gone.
AI prompt
Apply across your codebase
Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.
My Anthropic API key (sk-ant-) is exposed in my frontend. Revoke it in Anthropic Console, then migrate my Claude calls to a server-side route handler using the Vercel AI SDK. Set a monthly usage limit in Anthropic billing settings.FAQ
Frequently asked questions
- Should I just use a different provider?
- The provider does not matter — all LLM keys have the same threat model. The fix is server-side routing, not switching vendors.
Related fix guides
Fix these too
Hardcoded API key in JS
Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.
Read moreExposed OpenAI API key
OpenAI keys in client code get drained fast — attackers use them to run expensive models on your bill. Here is how to lock it down.
Read moreExposed .env file
An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.
Read moreFree tools