ClearedToShip
Get cleared
critical

How to rotate an exposed API key

The problem

An API key that shipped to the frontend or a public repo should be treated as compromised. One founder shipped a Stripe secret key to the frontend and 175 customers were charged before he could rotate it. Rotate fast, but in the right order.

Step by step

  1. 1

    Generate a new key first

    Create the replacement key in the provider dashboard before revoking the old one, so you have a clean cutover.

  2. 2

    Deploy the new key to server-side env vars

    Store it only in server environment variables — never in client code or the repo.

  3. 3

    Revoke the old key

    Once traffic is on the new key, revoke the leaked one immediately.

  4. 4

    Check for abuse and purge git history

    Review provider logs for unauthorized use and remove the key from git history.

Related:Is Replit safe?Is Bolt safe?Is Base44 safe?Is Supabase safe?

Want it verified, not just fixed?

Fixing it is step one. A ClearedToShip review confirms the fix actually holds and gives you a signed, insured clearance to launch. Join early access:

Free launch-readiness scan
Get my free scan