Find exposed API keys in your app

Every place a secret leaks into the browser

Frequently asked questions

How do API keys get exposed in a deployed app?

Front-end build tools inline anything with a public prefix — Vite ships every VITE_ variable, Next.js ships every NEXT_PUBLIC_ one — straight into the JavaScript that loads in the browser. AI code generators reach for those prefixes "to make it work," so real OpenAI, Anthropic, Stripe, and Supabase service-role keys routinely end up in the public bundle. Anyone can open DevTools and read them.

How do I find exposed keys in my own app?

Paste your deployed URL into CheckVibe. It downloads the same JavaScript, CSS, and source maps your visitors get and scans them against 100+ known key patterns (sk-…, sk_live_…, AIza…, AKIA…, JWT shapes, Supabase service-role tokens) plus a high-entropy detector that catches custom secrets. You get the exact file and snippet for each hit.

Is the scan free and private?

Yes — scanning is free with no signup, and CheckVibe only reads what your site already serves publicly. It never needs your repo or environment file. A free account unlocks the full list; paid plans add copy-paste fix prompts and continuous monitoring so a key can’t silently come back on the next deploy.

I found a leaked key — what do I do?

Rotate it first (the exposed value is already compromised), then move it server-side: call the third-party API from a backend route or edge function and remove the public-prefixed variable. CheckVibe gives you a copy-paste prompt that does exactly this for your framework, then re-scan to confirm it’s gone.

Does it catch keys in source maps and inline scripts?

Yes. CheckVibe inspects external bundles, inline scripts, and (when published) source maps — the places AI-generated apps most often leak. It also checks for the broader set of issues a leaked key signals: open CORS, missing headers, and world-readable Supabase or Firebase data.