Critical: act in the next 60 seconds

OpenAI API key leaked? Revoke and rotate in 60 seconds

Your OpenAI API key may be exposed. Here is the fastest possible recovery — three steps, no theory.

  1. Step 01

    Revoke the key in the OpenAI dashboard — do this first, before anything else.

  2. Step 02

    Generate a new key and update your server-side env vars (Vercel, Netlify, Railway, etc.).

  3. Step 03

    Scan your live URL to confirm nothing else leaked in the same deploy.

Step 01 — Revoke

Kill the leaked credential first

Sign in, find the leaked key in the list, click the trash icon. The key is dead in seconds — any in-flight requests with the old key fail. Then click "Create new secret key", give it the same name, copy the new value once (you cannot view it again).

Open OpenAI API keys dashboard

Step 02 — Rotate

Update the new key in the right place

Server-side env vars only — never in client code, never with NEXT_PUBLIC_.

app/api/ai/route.ts — server only
// Read OPENAI_API_KEY from env. NEVER prefix with NEXT_PUBLIC_.
const res = await fetch('https://api.openai.com/v1/chat/completions', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.OPENAI_API_KEY}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ model: 'gpt-4o-mini', messages }),
});

Step 03 — Scan

Confirm nothing else leaked alongside it

Scan your live site to find the rest of what leaked — bundle secrets, exposed config, public env files.

How this usually leaks

  • 01Hardcoded into a frontend file by Lovable, Bolt, or Cursor when scaffolding an "AI feature".
  • 02Committed to a public GitHub repo inside .env or a config file.
  • 03Inlined into the JS bundle via NEXT_PUBLIC_OPENAI_API_KEY (anything NEXT_PUBLIC_ ships to the browser).
  • 04Pasted into a Vercel build log that was shared in a public Discord or screenshot.
  • 05Left in a Postman collection or .http file committed to source control.

FAQ

Frequently asked questions

OpenAI emailed me saying my key was leaked. Do they auto-disable it?
OpenAI auto-revokes keys they detect on public GitHub or in published mobile apps. You will get an email. The key is already dead by the time the email lands. Your action: rotate, then audit the codebase to find every place it was used.
How fast can someone drain my account on a leaked key?
Bots scrape GitHub commits in real-time. We have seen keys from public commits used within 90 seconds of being pushed. Treat any exposure — even brief — as compromised.
Will I have to pay for the abuse?
OpenAI has historically credited customers for fraud from auto-detected leaks if you contact support quickly. Set hard usage limits in Settings → Limits today regardless.

Deeper dive

Long-term fixes for this leak class

Exposed OpenAI API key

OpenAI keys in client code get drained fast — attackers use them to run expensive models on your bill. Here is how to lock it down.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Read more

See what else leaked in the same deploy

Free scan. 70+ checks. Results in 60 seconds.