You leaked a key. Here is how to fix it in the next 60 seconds.
Speed matters more than ceremony. Pick the credential you exposed, follow three steps, and confirm with a scan that nothing else leaked at the same time.
- OpenAI API key
OpenAI API key leaked? Revoke and rotate in 60 seconds
Your OpenAI key is in the wrong place. Revoke it now, rotate to a new one, and scan to see what else leaked alongside it. Step-by-step.
Open the playbook - Anthropic API key
Anthropic API key leaked? Here is the 3-step recovery
A leaked Anthropic key is drained fast. Revoke in the Console, rotate to a new key, then scan your live site to confirm nothing else leaked.
Open the playbook - Stripe secret key
Stripe secret key leaked? Roll it now — this is a five-alarm incident
A leaked sk_live_ key can charge customers, refund payments, and read your entire customer database. Roll the key in the dashboard right now, then audit logs.
Open the playbook - Stripe restricted key
Stripe restricted key (rk_live_) leaked: scoped damage, real fix
A leaked rk_live_ key is less catastrophic than the master, but its scoped permissions still let attackers act. Revoke and rotate now.
Open the playbook - Supabase service_role key
Supabase service_role key leaked? It bypasses RLS — act now
The service_role key ignores Row Level Security. If it leaked, treat your entire database as compromised. Rotate immediately and audit access.
Open the playbook - Supabase anon key (with RLS disabled)
Supabase anon key in the wrong place: when it actually matters
The anon key is designed to be public — but only if RLS is enabled on every table. If your RLS is disabled, the anon key is the back door.
Open the playbook - AWS access key
AWS access key leaked? Disable it in IAM right now
A leaked AKIA key can spin up EC2 instances, drain S3, and rack up thousands in bills within hours. Deactivate in IAM, then audit CloudTrail.
Open the playbook - GitHub personal access token
GitHub personal access token leaked? Revoke before it gets used
A leaked GitHub PAT can read or push to every repo it scopes, including private ones. GitHub usually auto-revokes detected PATs — confirm and rotate.
Open the playbook - Google API key
Google API key (AIza...) exposed: restrict it before billing spikes
Google API keys are designed to be public-ish, but only if you restrict them to specific HTTP referrers and APIs. Unrestricted, they bleed.
Open the playbook - Resend API key
Resend API key (re_...) leaked: stop the spam before reputation tanks
A leaked Resend key sends mail from your verified domain. Spam burns your sending reputation in hours and gets your domain blocklisted.
Open the playbook - SendGrid API key
SendGrid API key (SG.) leaked: revoke and audit mail logs
SendGrid keys can send millions of emails before you notice. Revoke in the dashboard now and audit Activity Feed for unfamiliar sends.
Open the playbook - Twilio auth token
Twilio auth token leaked? Roll it now — SMS fraud is fast
A leaked Twilio auth token sends SMS to premium numbers, racking up thousands in fees in minutes. Roll the secondary token, promote it, audit.
Open the playbook - Mapbox access token
Mapbox access token leaked: rotate the secret, scope the public
Mapbox tokens come in two flavors: secret (sk.) and public (pk.). Secret tokens leaking is critical; public tokens need URL restrictions.
Open the playbook - Algolia admin API key
Algolia admin API key leaked: rotate now, never use it client-side
The Algolia admin key can read, write, and delete every index. If it leaked, attackers can wipe your entire search corpus. Rotate immediately.
Open the playbook - Firebase service account key
Firebase service account JSON leaked: revoke and rotate keys
A leaked Firebase service-account JSON gives root access to your Firebase project. Revoke the key in IAM and audit Firestore for tampering.
Open the playbook - Environment variables file
.env pushed to GitHub: every secret in it is now public
A committed .env file is the most common secret leak. Removing it from the latest commit does not unleak it — every value must be rotated.
Open the playbook