Your API key is in the client bundle: how to find and fix it
Secret keys in JavaScript bundles and source maps are the most common security failure in modern SaaS apps. Here is how to detect and fix key exposure.
It happens faster than you think. A Supabase service-role key gets assigned to a NEXT_PUBLIC_ variable. A Stripe secret key ends up in a client-side API call. A source map published by the build system exposes backend configuration. The key is now public — cached by search engines, archived by web scrapers, and indexed by automated key-scanning bots that exploit exposed credentials within minutes.
How keys end up in client bundles
The most common paths: environment variable prefixed with NEXT_PUBLIC_ or VITE_ when it should not be, direct import of a server-only module into a client component, source maps left enabled in production builds, and copy-paste from documentation examples that use the secret key for simplicity.
What to scan for
Scan the HTML source, all JavaScript chunks, inline scripts, source maps, and meta tags. Look for patterns matching known key formats: Supabase service-role (starts with eyJ), Stripe secret keys (sk_live_ or sk_test_), Firebase private keys, and any string matching common API key patterns. Automated scanning is essential because keys can appear in dynamically loaded chunks that are not visible in the initial page source.
Source maps: the hidden exposure
Even if your code does not directly expose a key, source maps can reveal the original source files including environment configuration, server-side modules, and inline secrets. If your production build publishes source maps, anyone can reconstruct your entire source tree. Either disable source maps in production or use Sentry-style private source map uploading.
Fix it: remove and rotate
Removing the key from code is not enough. If it was ever publicly accessible, it must be rotated. The old key should be considered compromised. Update your environment variables, deploy a clean build, and verify the new key works. Then scan again to confirm the exposure is resolved.
Scan continuously
PreFlight's Secret Drift Scanner runs against your production origin on every check. It scans pages, bundles, and source maps for exposed keys and flags them immediately. This catches re-introductions that happen when a developer adds a new environment variable with the wrong prefix or when a build configuration change re-enables source maps.
