Exposed API Keys
GitGuardian found over 12.8 million hardcoded secrets in public GitHub commits in 2023. SaaSalyst scans your inline scripts and JavaScript bundles for 12 API key patterns, detecting exposed secrets from OpenAI, Stripe, AWS, Supabase, and more before attackers find them.
What SaaSalyst Checks
SaaSalyst extracts text from inline <script> tags and fetches up to 10 JavaScript bundle files linked from your page. Each source is scanned against 12 regex patterns for known API key formats. Shannon entropy analysis filters false positives, and known example keys (like AWS documentation keys) are excluded. Supabase JWTs are decoded to differentiate safe anon keys from dangerous service role keys.
Why This Matters
API keys in client-side code can be extracted by anyone with a browser's developer tools. Exposed OpenAI or Anthropic keys let attackers run up your AI usage bills. Exposed Stripe secret keys enable unauthorized charges and refunds. Exposed AWS access keys grant access to your entire cloud infrastructure.
Supabase service role keys are especially dangerous — they bypass ALL Row Level Security, giving anyone full read/write/delete access to your database. Unlike anon keys (which are designed for client-side use with RLS), service role keys must never appear in frontend code.
Enterprise security teams use automated scanners to check for exposed secrets. If they find one, your product is immediately disqualified from procurement consideration.
40%
Higher secret exposure in repos using AI coding assistants
GitGuardian 2025 Report
400+
Exposed secrets found across 5,600 vibe-coded apps
Escape.tech
How to Fix It
- Move all secret API keys to server-side environment variables. Never import or reference them in client-side code.
- Use API routes or serverless functions as proxies — your frontend calls your backend, which calls the external API with the secret key.
- Rotate any keys that have been exposed in client-side code immediately. Assume they have been compromised.
- For Supabase, use only the anon key in client code and ensure Row Level Security (RLS) policies are enabled on all tables.
- Configure your build system to prevent accidental inclusion of server-side env vars in client bundles.
Frequently Asked Questions
How does SaaSalyst detect exposed API keys?
SaaSalyst scans inline scripts and JavaScript bundles for 12 known API key patterns from services like OpenAI, Stripe, AWS, and Supabase. Shannon entropy analysis reduces false positives, and Supabase JWTs are decoded to differentiate anon keys from dangerous service role keys.
Why are exposed API keys critical?
SaaSalyst rates exposed API keys as critical severity because they enable unauthorized access to paid services, cloud infrastructure, and databases. Attackers actively scan for exposed keys to exploit them.
Is a Supabase anon key safe to expose?
SaaSalyst treats Supabase anon keys as a warning (not critical) because they are designed for client-side use — IF Row Level Security policies are properly configured. Service role keys bypass all RLS and are always critical.
References & Official Sources
Official regulatory and standards sources relevant to the checks SaaSalyst runs on your site.
- OWASP Top 10— OWASP
- Security Headers Reference— Mozilla
- HSTS Preload List— Google
Check Your SaaS Now — Free
SaaSalyst scans your website in 30 seconds and checks for Exposed API Keys along with 40+ other business readiness signals.
Scan Your App