DEV Community: Leboisdolivier The latest articles on DEV Community by Leboisdolivier (@leboisdolivier). https://dev.to/leboisdolivier https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3916695%2F129efafe-0e9f-492b-b3e3-b441806247e3.png DEV Community: Leboisdolivier https://dev.to/leboisdolivier en How I stopped leaking my Anthropic API key in React Native Leboisdolivier Wed, 06 May 2026 21:01:35 +0000 https://dev.to/leboisdolivier/how-i-stopped-leaking-my-anthropic-api-key-in-react-native-2dm1 https://dev.to/leboisdolivier/how-i-stopped-leaking-my-anthropic-api-key-in-react-native-2dm1 <p>If you've ever built a React Native or Expo app with the Anthropic API, <br> you've probably done this at some point:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>EXPO_PUBLIC_ANTHROPIC_API_KEY=sk-ant-... </code></pre> </div> <p>It works. The app calls Claude. Everything is fine.</p> <p>Until you realize that <code>EXPO_PUBLIC_</code> means the key is bundled <br> into your APK and your web build — visible to anyone who downloads <br> the app or opens DevTools.</p> <h2> The fix: a server-side proxy </h2> <p>The solution is straightforward: never call Anthropic directly from <br> the client. Put a thin proxy in between.</p> <p>Your app → (Bearer token) → Proxy → (Anthropic key) → Claude</p> <p>Your Anthropic key never leaves the server.</p> <h2> I open-sourced mine </h2> <p>I kept building this proxy from scratch for every project, so I <br> cleaned it up and published it as a template:</p> <p>👉 <a href="https://github.com/Leboisdolivier/atelier-claude-proxy" rel="noopener noreferrer">atelier-claude-proxy</a></p> <p>Two flavors, same interface:</p> <p><strong>Firebase Functions</strong> — uses Firebase Auth ID tokens. <br> If you're already on Firebase, it's a near-zero-config drop-in. <br> Deploys in ~5 minutes.</p> <p><strong>Cloudflare Worker</strong> — framework-agnostic, ~0ms cold start, <br> 100k requests/day on the free tier. Deploys in ~3 minutes.</p> <p>Both are ~100 lines of vanilla JS with no dependencies <br> beyond the platform SDK.</p> <h2> Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://YOUR_PROXY_URL</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Hello!</span><span class="dl">'</span> <span class="p">}],</span> <span class="p">}),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">content</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">text</span><span class="p">);</span> </code></pre> </div> <p>The response is the raw Anthropic API response — no transformation.</p> <h2> What it handles </h2> <ul> <li>API key stored in Secret Manager / Workers Secrets</li> <li>Auth verified on every request</li> <li>CORS locked to your origins</li> <li>Hard token cap to protect your bill</li> <li>Usage logged per user (uid + token count)</li> </ul> <p>Feedback welcome — especially on the auth model for the <br> Cloudflare version.</p> reactnative expo anthropic security