Why Your API Keys Are Leaking on GitHub and How to Stop It

Many developers working with AI models such as Claude, OpenAI, Alibaba Cloud, GLM, Kimi, and MiniMax store the required API keys in plain text files like .env or even embed them directly in source code, which quickly leads to forgetting where the keys are kept.

Hard‑coding keys in code and pushing the repository to a public GitHub repo exposes the credentials to anyone; a simple git push can make the keys publicly visible, allowing attackers to drain the associated accounts.

The recommended practice is to keep configuration files such as .env out of version control by adding them to .gitignore, never write keys directly in source files, and always remove test keys before committing.

To discover leaked keys, you can use a Google dork like intext:"openai_api_key=sk" site:.github.com -gist, which returns many public repositories that have accidentally committed API credentials.

Real‑world examples show countless public repositories containing exposed .env files, with screenshots of search results and leaked keys illustrating the scale of the problem.

Industry Statistics

By 2025, an estimated 29 million hard‑coded secrets are expected to be pushed to public GitHub repositories.

AI‑related keys have surged by 81 % year‑over‑year, with DeepSeek alone leaking 113 000 keys.

65 % of the Forbes AI 50 top AI companies have validated, active keys visible on GitHub.

OpenAI, Anthropic (Claude), Google Gemini, AWS, Stripe, Groq and many other services have keys exposed in the wild.

One developer even reported an AWS bill charging $200 per second after a key was leaked.

Real‑Time Monitoring

The service apiradar.live continuously scans GitHub public event streams; when a new OpenAI, Claude, or Gemini key is detected, it immediately triggers an alert. Screenshots of the dashboard show that the platform has already identified and mitigated over 37 000 active API‑key leakage threats.

These incidents demonstrate that an API key functions as a digital wallet: losing it can cost you money, reputation, and even your job. Treat keys with the same care as financial assets—store them securely, exclude them from version control, and monitor for accidental exposure.