⚠ BOTS SCAN GITHUB EVERY 11 MINUTES FOR EXPOSED KEYS ⚠ IF YOUR KEY IS EXPOSED, ASSUME IT'S ALREADY BEEN USED ⚠ ROTATE FIRST. INVESTIGATE SECOND. ⚠ BOTS SCAN GITHUB EVERY 11 MINUTES FOR EXPOSED KEYS ⚠ IF YOUR KEY IS EXPOSED, ASSUME IT'S ALREADY BEEN USED ⚠ ROTATE FIRST. INVESTIGATE SECOND.
scanner docs insights pricing sign in
EMERGENCY TRIAGE GUIDE — LAST UPDATED APRIL 2026

I leaked
my API
key.

The 60-minute response guide.
<11
minutes before bots
find your exposed key
277
avg days to detect
a breach after exposure
$4.88M
avg cost of a data
breach (IBM 2025)
Go to the triage guide // prevent this from happening again
The 60-minute response

Do this. Right now.

0–2
min
Critical

Revoke the key. Right now.

Before you do anything else — even before you finish reading this — go revoke the exposed key. Don't wait until you understand the full scope. Don't wait to see if it was actually used. Assume it was found. Assume it's being used. Revoke it.

  • OpenAI: platform.openai.com → API Keys → Revoke
  • AWS: IAM Console → Security credentials → Deactivate access key
  • Stripe: Dashboard → Developers → API Keys → Roll key
  • Anthropic: console.anthropic.com → API Keys → Revoke
  • GitHub PAT: Settings → Developer Settings → Personal access tokens → Delete
# AWS — revoke via CLI if you can't access console aws iam update-access-key \ --access-key-id AKIAIOSFODNN7EXAMPLE \ --status Inactive # Immediately create a replacement key aws iam create-access-key --user-name your-user
2–15
min
Urgent

Check for active usage

With the key revoked, check whether it was already used. Look at the logs for the service the key belonged to. You're looking for requests you didn't make — especially at unusual times or from unusual IPs.

  • OpenAI: Check usage dashboard for unexplained spikes in tokens or requests
  • AWS: CloudTrail → filter by Access Key ID → look for unauthorized API calls
  • Stripe: Dashboard → Logs → filter by API key → look for unknown charges or payouts
  • GitHub: Settings → Security log — look for auth events from unknown IPs

If you see unauthorized usage: note the timestamps, IPs, and actions taken. You'll need this for any incident report or dispute. Screenshot everything now.

15–30
min
Important

Remove the key from git history

Revoking the key doesn't remove it from your git history. If your repo is public, bots have already indexed it — but remove it anyway. If it's private, remove it before anyone else gains access.

# Option 1: Use git-filter-repo (recommended) pip install git-filter-repo git filter-repo --replace-text replacements.txt # In replacements.txt: sk-proj-Ab3xK9mNpQ...==>REDACTED_KEY # Option 2: BFG Repo-Cleaner (faster for large repos) java -jar bfg.jar --replace-text replacements.txt git reflog expire --expire=now --all git gc --prune=now --aggressive git push --force

Important: Force-pushing rewrites history. Everyone with a clone needs to re-clone after this. Tell your team.

30–60
min
Important

Add prevention — before you do anything else

Before you write another line of code, put the guardrails in place. Add a pre-commit hook that catches secrets before they hit git.

# Install detect-secrets pre-commit hook pip install detect-secrets pre-commit # Create .pre-commit-config.yaml repos: - repo: https://github.com/Yelp/detect-secrets rev: v1.4.0 hooks: - id: detect-secrets pre-commit install # Now a commit with a secret will be blocked

Pre-commit hooks prevent the next accidental commit. But they don't protect the key once your app is running. That's a different problem — see below.

Done
Recovery

Document and report if needed

If there was unauthorized usage — especially involving customer data, payments, or internal systems — you may have notification obligations depending on your jurisdiction and any customer contracts.

  • Note: what was exposed, when, for how long
  • Note: what unauthorized activity occurred (if any)
  • Note: what data or systems were accessible via this key
  • Notify: team members who may have downstream exposure
  • Notify: affected customers if required under your terms or regulations
  • File: dispute with the service provider if fraudulent charges occurred
After the triage

Make sure this never happens again.

🔒

Pre-commit hooks

Catch secrets before they're committed. detect-secrets, gitleaks, and trufflehog all work well. Stops the most common cause of leaks.

Doesn't help once the app is running. The key still exists as plaintext in your environment.

Partial — prevents commits
🗄️

Secrets managers (Vault, Doppler)

Encrypts keys at rest. Centralized access control. Audit logging. A real improvement over .env files.

Once your app retrieves the key, it becomes a plaintext string in memory. That's still vulnerable.

Partial — protects at rest
🔄

Key rotation

Regular rotation limits the window of exposure if a key is compromised. Combine with automatic rotation tooling.

The average enterprise rotates every 180 days. Breaches take 277 days to detect. The math still doesn't work.

Partial — reduces window
🛡️

Runtime protection (VaultProof)

Splits the key before storage. A proxy reconstructs it only for the API call — milliseconds — then zeros it from memory. The full key never exists in your app, environment, or config.

A compromised dependency, a pushed .env, a supply chain attack — none of them can steal what doesn't exist.

Complete — protects in use

STOP THE NEXT
LEAK.

Protect your API keys at the moment they're used — not just at rest.
Free to start. 15 minutes. Works alongside what you already have.

Protect your keys — free

// npm install @vaultproof/sdk  ·  pip install vaultproof