One accidental git push is all it takes to leak your API keys. For AI applications that interface with OpenAI, Anthropic, or other providers, a leaked key can mean thousands of dollars in unauthorized usage within hours.
The Golden Rules
- Never hardcode API keys in client code — they're visible to anyone who inspects your bundle
- Use environment variables — but know their limitations
- Proxy through Server Actions — keep keys server-side only
The Right Pattern
// ❌ Never do this (client component)
const apiKey = "sk-..." // Exposed!
// ✅ Do this instead (Server Action)
'use server'
export async function callAI(prompt: string) {
const apiKey = process.env.OPENAI_API_KEY
// Call AI service here - key stays on server
}
Beyond Environment Variables
For production AI apps, consider:
- API key rotation — regularly cycle keys to limit blast radius
- Rate limiting — prevent abuse even with valid keys
- Usage monitoring — set alerts for unusual spending patterns
- Secret management services — Vercel Env or cloud KMS for team environments
Your AI API keys are as valuable as your source code—treat them that way. A few minutes of proper setup can prevent a very expensive mistake.
Read the complete guide with real-world breach scenarios and advanced security patterns at JayApp.
Originally published at https://jayapp.cn/en/blog/secure-ai-api-management-nextjs-16
Top comments (0)