Guide
Is your API key exposed? How to check
Leaked API keys are the most common cause of data leaks. Here's how to check whether yours are exposed, and what to do if they are.
An exposed API key is the digital equivalent of leaving your front door key taped to the door. It's the single most common way small businesses leak data — and the easiest to check for.
Where keys leak from
- Public code repositories. A key committed to GitHub, even briefly, is scraped within minutes by automated bots.
- Front-end code. Keys placed in a website's JavaScript are visible to anyone who opens their browser tools.
- Old backups and pastebins. Config files and database dumps shared "temporarily" and forgotten.
- Third-party tools. A vendor or contractor's exposure becomes yours.
A 10-minute self-check
- Search your public code repositories for words like key, secret, token, and password.
- Open your website, view source, and scan the JavaScript for anything that looks like a credential.
- Check whether any database, storage bucket, or admin panel is reachable without a login.
- Ask every vendor with access to your data how they store their keys.
If you find one
Rotate it immediately — generate a new key and revoke the old one. Assume the exposed key was seen. Then review the logs for that key to understand what was accessed. Don't just delete the file; the key in it is already out.
Not sure where to look, or what you're seeing? That's exactly what an exposure audit is for.
Want us to just handle it?
Send the details to [email protected] or book a call. We'll check it for you and fix what's exposed.