Skip to main content

How NOT to find your AI API keys

Where you shouldn't be finding your private API key. The public internet.

· By Sagger Khraishi · 4 min read

You shouldn't find your API keys this way. Never. Because if you can find it, that means I can or so can anyone else on the internet.

And that's pretty bad. At the minimum, for 7,000 OpenAI API keys at $5 each, that's 35k. If that's $200 on each key, that's $1.4 mill. And more are being added daily. Anthropic? 604 keys. Perplexity? 295.

What is an API key?

An API (Application Programming Interface) is basically a shared handshake. If you get the API key for Google Maps, then when you use that API key with another tool, you are giving that tool permission to use Google Maps.

Similarly, if you're building automation, like with Make or n8n, you need to use an API key to create the handshake between the AI tool you want to use and the script you want to build.

And if you're vibe coding, there's a chance that you will unwittingly get a dataset/openai_api_key.txt that's leaking your API key so anyone can use your API.

When did this become public?

  • August 2024 at Defcon, security researcher Bill Demirkapi revealed finding more than 1,000 OpenAI API keys published online through poor security practices. OpenAI.
  • February 2nd, 2025, Andrej Karpathy introduced the term "vibe coding", which described developers relying on AI-generated code, basically going in with the vibes while coding.
  • March 2025, articles started popping up about how API keys were being leaked online unwittingly because people just didn't really know what to look for.

What's being done to prevent it?

Short answer: GitHub, OpenAI, Anthropic, and Perplexity are each approaching the issue differently.

Long answer: While AI companies are using scripts to regularly remove compromised API keys, you have companies like Perplexity which are more focused on their enterprise customers while smaller developers have to self-manage key safety.

GitHub offers secret scanning, which is free for all users with public repositories. If you're running a private repository, then that's available if you are on a GitHub Team, or Enterprise Cloud plan with GitHub Secret Protection enabled.

How can I find mine?

Step 1. Open GitHub.

Step 2. Use the following search paths, depending on what AI tool you are using. Replace "gitusername" with your own GitHub name.

OpenAI

About the author

Sagger Khraishi Sagger Khraishi
Updated on Aug 31, 2025