𝗦𝘁𝗼𝗽 𝗟𝗲𝗮𝗸𝗶𝗻𝗴 𝗬𝗼𝘂𝗿 𝗔𝗣𝗜 𝗞𝗲𝘆𝘀

𝗦𝘁𝗼𝗽 𝗟𝗲𝗮𝗸𝗶𝗻𝗴 𝗬𝗼𝘂𝗿 𝗔𝗣𝗜 𝗞𝗲𝘆𝘀

I leaked my API key twice.

First, I put the key in a JavaScript file. I pushed it to GitHub. A scanner found it.

Second, I used an environment variable in React. The key lived in the browser. Anyone with DevTools saw the key.

Client side secrets are not secrets.

I built a proxy. I used Cloudflare Workers.

The process is simple:

• Your frontend calls the proxy.
• The proxy adds the API key on the server.
• The proxy calls the AI API.
• The proxy returns the answer.

The API key never enters the browser.

Benefits:

• Low latency.
• Free for small projects.
• You control rate limits.

Production tips:

• Use JWT for user auth.
• Use Cloudflare KV for rate limiting.

Keep your keys on the server.

Source: https://dev.to/__c1b9e06dc90a7e0a676b/i-exposed-my-api-key-twice-before-building-a-proxy-heres-what-i-learned-1l28