Critical: act in the next 60 seconds

Anthropic API key leaked? Here is the 3-step recovery

Your Anthropic API key may be exposed. Here is the fastest possible recovery — three steps, no theory.

  1. Step 01

    Open the Anthropic Console, go to API Keys, delete the leaked key.

  2. Step 02

    Create a replacement and update your server env vars — never the client bundle.

  3. Step 03

    Scan your URL for any other secret patterns sitting in the same deploy.

Step 01 — Revoke

Kill the leaked credential first

Console → Settings → API Keys → click the three-dot menu → Delete. Confirm. Then "Create Key" with a workspace-scoped permission (lower blast radius if it leaks again).

Open Anthropic API keys

Step 02 — Rotate

Update the new key in the right place

Server-side env vars only — never in client code, never with NEXT_PUBLIC_.

app/api/claude/route.ts — server only
import Anthropic from '@anthropic-ai/sdk';
const client = new Anthropic({ apiKey: process.env.ANTHROPIC_API_KEY });
// no NEXT_PUBLIC_ prefix — the key must never reach the browser

Step 03 — Scan

Confirm nothing else leaked alongside it

Scan your live URL to confirm no other AI keys, database keys, or env files are exposed.

How this usually leaks

  • 01Vibe-coded "talk to Claude" frontends ship the key in client JS.
  • 02.env file committed to GitHub in the first scaffolded commit.
  • 03NEXT_PUBLIC_ANTHROPIC_API_KEY accidentally used in a Next.js project.
  • 04Pasted into a tweet, screenshot, or Stack Overflow question.

FAQ

Frequently asked questions

Does Anthropic detect leaked keys like OpenAI does?
Anthropic monitors public GitHub for sk-ant- prefixes and revokes keys they detect, similar to OpenAI. Do not rely on it — rotate immediately the moment you suspect exposure.
Are workspace keys safer than account keys?
Yes. Workspace keys are scoped to a single project with their own usage limits. If one leaks, the blast radius is one workspace, not your whole organization. Use them.

Deeper dive

Long-term fixes for this leak class

Exposed Anthropic key

Claude API keys (sk-ant-...) leaked in client code get drained like any other LLM key. Here is the fix.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Read more

See what else leaked in the same deploy

Free scan. 70+ checks. Results in 60 seconds.