What happens if my OpenAI API key leaks?

OpenAI keys are worth real money, so the scanning is aggressive. Expect bots to find a leaked key within 30 seconds of it appearing on public GitHub, and to start charging your account within minutes.

**Immediate response:** 1. OpenAI dashboard → API Keys → find the leaked one → Revoke. 2. Generate a new key. Update it in your app's env vars (Vercel: Project Settings → Environment Variables; Netlify: same; direct server: systemctl restart your-app). 3. Email OpenAI support immediately at support@openai.com. Subject: 'URGENT: API key leaked [timestamp], requesting credit for abuse'. They have a documented process and are usually generous if you're fast. 4. Check your OpenAI usage dashboard → Billing → Usage → look at the hours since the leak. Spike = abuse. Note the $.

**Find the leak:** - Search your GitHub org for the partial key: `sk-` + first 8 chars. GitHub has secret scanning; most leaks are in a commit that was later amended/deleted but still lives in the git history. - Check client-side bundles. Use browser devtools on your deployed site → View Source → Ctrl-F for 'sk-'. If it's there, the key is in a file that shipped to every visitor. - Check Replit deployments, old Vercel builds, old Heroku apps, any forked repos. - Check screenshots / tweets / blog posts with code samples.

**Prevent repeat:** - GitHub → Settings → Secret scanning + Push protection (ON) - gitleaks or trufflehog in your CI - Never put keys in client-side code; always route through a `/api/` endpoint on your server

Securie's scan (launching this year) will walk your entire commit history + client bundle + common leak locations. Join the list for a week-1 run that finds not just the key you know leaked, but any others you don't.

People also ask