Why Your API Keys Are Your Digital Wallet—and How to Stop Leaking Them

Developers frequently manage dozens of AI‑service API keys (Claude, OpenAI, Alibaba Cloud, GLM, Kimi, MiniMax, etc.) by storing them in .env files or, for convenience, hard‑coding them directly into source code. Over time they forget where each key resides, and accidental git push to a public repository exposes the credentials to anyone.

When a key is exposed on GitHub, malicious actors can instantly consume the associated quota, leading to unexpected charges. One example shows a developer who pushed a repository containing an OpenAI key; within minutes the key was queried 50,000 times, effectively “donating” the service for free.

Searches on GitHub confirm the scale of the problem. Using the Google dork intext:"openai_api_key=sk" site:.github.com -gist reveals countless public .env files and code snippets that contain live keys. Screenshots from the scan illustrate dozens of repositories with exposed credentials.

Recent industry reports from GitGuardian and Snyk quantify the risk:

In 2025, 29 million hard‑coded secrets were pushed to public GitHub repositories.

AI‑service keys grew by 81 % year‑over‑year; DeepSeek alone leaked 113 000 keys.

65 % of the Forbes AI‑50 companies have at least one verified, active key on GitHub.

These leaks span major providers such as OpenAI, Anthropic (Claude), Google Gemini, AWS, Stripe, and Groq.

To mitigate the threat, a real‑time monitoring service apiradar.live continuously scans GitHub public events. When a new OpenAI, Claude, or Gemini key appears, the platform immediately raises an alert. The site reports having identified and mitigated over 37 000 active API‑key leakage incidents.

Practical recommendations:

Store all configuration files (e.g., .env) in .gitignore to prevent accidental commits.

Avoid hard‑coding keys in source files; use secret‑management tools or environment variables.

Remove any test keys from code before committing and rotate them regularly.

Monitor repositories with tools like GitGuardian, Snyk, or custom GitHub alerts to catch accidental exposures early.

Consider implementing automatic token revocation after a billing anomaly or suspicious usage spike.

Treat each API key as a digital wallet: losing it can quickly empty your cloud‑service balance.