Why Your API Keys Are Leaking on GitHub and How to Stop It

Many developers now integrate multiple AI services—Claude, OpenAI, Alibaba Cloud, GLM, Kimi, MiniMax, etc.—and keep the corresponding API keys in a .env file. Over time they forget where the keys are stored, sometimes hard‑code them directly into source files, and inadvertently push those files to public GitHub repositories with git push, exposing the credentials to anyone.

Key best‑practice advice includes:

Store configuration files such as .env in .gitignore so they are never committed.

Avoid hard‑coding keys in code; use environment variables or secret‑management tools.

Remove any test keys from the code before committing.

Simple Google queries can reveal leaked keys, for example:

intext:"openai_api_key=sk" site:.github.com -gist

Searching GitHub for OPENAI_API_KEY shows many public .env files that expose keys, allowing anyone to use the services for free.

Real‑world incidents illustrate the financial impact: an AWS key leaked and generated $200 per second charges; another leaked key received 50,000 requests per minute, effectively donating resources to strangers.

Recent reports from GitGuardian and Snyk provide alarming statistics:

By 2025, 29 million hard‑coded secrets have been pushed to public repositories.

AI‑related keys increased by 81 %, with DeepSeek alone leaking 113 000 keys.

65 % of the Forbes AI‑50 top AI companies have valid keys exposed on GitHub.

Major services—including OpenAI, Anthropic (Claude), Google Gemini, AWS, Stripe, and Groq—have keys openly available.

A dedicated monitoring service, apiradar.live , continuously scans GitHub public event streams and instantly alerts when new OpenAI, Claude, or Gemini keys appear. The platform reports over 37 000 active API‑key‑leak threats detected and mitigated.

In summary, treat API keys like digital wallets: protect them, keep them out of source control, and use tools such as .gitignore and secret‑management solutions to avoid costly breaches.