FreeToolKit Logo
🗝️Security

API Keys: How Developers Accidentally Leak Them and How to Stop

Leaked API keys have caused real catastrophes — AWS bills in the hundreds of thousands, data breaches, service shutdowns. Here's what you're doing wrong and how to fix it.

7 min readJanuary 24, 2026By FreeToolKit TeamFree to read

I know a developer who committed an AWS access key to a public GitHub repo at 9pm. By 11pm, attackers had spun up 50 EC2 instances. The bill reached $47,000 before AWS caught the anomalous usage. AWS eventually waived most of it. The recovery process took two weeks.

This isn't rare. It happens constantly. Here's how to not be that person.

How Keys Get Leaked

Committed to Git is the most common. Hardcoded in source code, or in a .env file that someone forgot to gitignore. Sometimes it's in config files, sometimes in test files, sometimes in scripts someone added 'temporarily.'

Other paths: accidentally pasted in a chat message, included in a bug report screenshot, logged by an exception handler that logs the full request (including headers with auth tokens), or in a container image pushed to a public registry.

The Setup That Prevents Git Leaks

Three lines of protection:

  • .env is in .gitignore before you create it
  • git-secrets or gitleaks pre-commit hook scans every commit for credential patterns
  • GitHub secret scanning enabled on all repositories

The pre-commit hook is the insurance policy. Even if you forget that a file has credentials, the hook catches it before the push happens.

Principle of Least Privilege

Every API key should have only the permissions it needs. If your application only reads from an S3 bucket, the key should not have write or delete permissions. If your key only sends email, it shouldn't have access to billing or account management. Most developers use admin-level keys because it's easier than scoping permissions. The security cost is enormous — a leaked key with minimal permissions does minimal damage. A leaked admin key is a catastrophe.

If You've Already Leaked a Key

Revoke it immediately. Don't try to figure out if it was used first — revoke, then investigate. Time matters. Then audit your audit logs to understand what happened. Then figure out how it leaked and fix that gap. GitHub has a guide for removing sensitive data from history (git filter-repo) if you need to purge it from historical commits too.

Encode sensitive values as base64 for environment →

Frequently Asked Questions

What happens if my API key is leaked on GitHub?+
Bots scan GitHub continuously for API keys — not occasionally, in real time. Minutes after a push containing a key, scripts controlled by attackers will attempt to use it. AWS access key leaks lead to immediate resource provisioning for crypto mining — the AWS bill arrives within hours. OpenAI key leaks result in usage charges that can reach thousands of dollars. Stripe key leaks can compromise customer payment data. GitHub itself has secret scanning that can detect some credential types and notify you automatically, but you should assume any leaked key is compromised immediately and revoke it without waiting for notification.
How do I store API keys safely in development?+
Environment variables, not code. Create a .env file at the project root for local development. Add .env to your .gitignore immediately when you create it — before you add any keys. Use a library like dotenv (Node.js) or python-decouple (Python) to load variables from .env into your application. Verify .env is in .gitignore by running git status — it should show as ignored. For team collaboration, create a .env.example file with the variable names but placeholder values, which is safe to commit. Real values get shared through a secure channel like 1Password shared vaults.
What is the difference between client-side and server-side API keys?+
Server-side keys are private — they should never reach the user's browser. They live in environment variables, are only used in backend code, and grant full API access. Client-side keys are public by design — browser SDKs for analytics, maps, and payment forms use them and they're embedded in your JavaScript. The distinction matters because client-side keys need to be restricted by allowed domains and referrers in the API provider's dashboard. A Google Maps API key must have HTTP referrer restrictions set, otherwise anyone can use your key from their own site and your billing explodes.
Should I rotate API keys regularly?+
Yes for production, and especially after any personnel changes. Most API providers let you generate new keys without revoking old ones, so you can do a zero-downtime rotation. Create the new key, update all systems to use it, then revoke the old key. High-priority rotation triggers: a developer with key access leaves the company, any suspicion of key leakage, after any breach or security incident, or annually as a hygiene practice. For short-lived credentials (AWS IAM roles, OIDC tokens), automatic expiration handles this for you — prefer these over long-lived static keys when the provider supports them.

🔧 Free Tools Used in This Guide

Base64 Encoder Sha256 Hash Generator Password Generator
FT

FreeToolKit Team

FreeToolKit Team

We build free browser-based tools and write practical guides that skip the fluff.

Tags:

securitydeveloperapidevops

Continue Reading

⚙️

GitHub Actions: The Guide That Starts Where the Docs Leave Off

8 min read
⚠️

Your Data Was Breached. Now What? (An Honest Timeline)

7 min read
← Back to BlogBrowse All Tools