API keys (OpenAI, Anthropic, Stripe, AWS, etc.) are embedded in client-side JavaScript, accessible to any visitor.
Move API calls to a server-side route (Next.js API route, edge function). Never ship secret keys in client code.
Security Scanner automatically checks for this issue as part of its 70+ module scan. Try it free — no signup needed for the quick scan.
Check your app now →