July 9, 2026
Identifying Publicly Leaked OpenAI and Anthropic API Keys
As organizations increasingly integrate artificial intelligence into their services, API tokens issued by providers such as OpenAI and…

By Criminal IP
8 min read
As organizations increasingly integrate artificial intelligence into their services, API tokens issued by providers such as OpenAI and Anthropic have become critical credentials for application operations. However, API tokens intended exclusively for server-side use are sometimes exposed through web pages, environment files, debugging interfaces, and client-side application code.
In June 2026, Criminal IP Asset Search was used to investigate internet-facing assets containing AI API token prefixes and configuration-related keywords. The results identified multiple assets containing strings associated with OpenAI project keys using the 'sk-proj-' prefix and Anthropic API keys using the 'sk-ant-api03-' prefix. In confirmed cases, API keys appeared in Next.js 'NEXT_DATA' blocks, publicly accessible '.env' files, client-side JavaScript, and cloud-hosted web applications. Some assets exposed additional sensitive information, including administrator tokens and database credentials.
This article examines the AI API token exposure patterns identified through Criminal IP, the primary technical causes of these exposures, and the security measures organizations should implement.
Tracking AI API Token Exposure with Criminal IP
The investigation focused on direct keyword searches for known AI API token prefixes and common configuration variable names. Infrastructure filters were also applied to narrow the results. The primary searches did not rely on Criminal IP platform tags, allowing the investigation to cover a broader range of internet-facing assets.
The following results were validated in June 2026.
Search QueryResultsKey Insight"sk-proj-"29Highest volume; direct prefix match in banners and HTML"OPENAI_API_KEY" AND port:8018Strong signal in web-exposed configuration files".env" AND "sk-proj-"3Direct evidence of exposed environment files"sk-ant-api03-"11 Anthropic keys also actively leakingcloud_provider:AWS AND "OPENAI_API_KEY"8Significant exposure on major cloud provider
The presence of a token prefix or configuration variable does not, by itself, confirm that a key is currently valid or has been maliciously used. However, exposing authentication-related strings through an internet-facing service indicates that secrets may not be properly separated from publicly accessible application data.
Key Insights and Evidence from Criminal IP
1. OPENAI_API_KEY Exposure on Port 80
The following query returned 18 internet-facing assets: "OPENAI_API_KEY" AND port:80
Criminal IP Search Query: "OPENAI_API_KEY" AND port: 80
Many of the identified assets were located in China and hosted on infrastructure associated with Alibaba. Several services returned HTTP 200 responses containing HTML content with configuration-related information. Using an environment variable does not automatically prevent a secret from being exposed. When an application includes an environment variable in rendered HTML, page data, or a JavaScript bundle, the value may become accessible to external users. Organizations must therefore verify that sensitive environment variables remain exclusively within server-side processing.
2. OpenAI API Key Exposed through Next.js NEXT_DATA
One identified asset contained an OpenAI API key inside a Next.js NEXT_DATA JSON block. Next.js uses NEXT_DATA to send data required for page rendering from the server to the browser. If a server-side configuration value is included in page properties or another serialized object, the value may be delivered directly to the client.
In this case, a token beginning with sk-proj- appeared under a default_gpt_token field. Although the value may originally have been stored as a server-side environment variable, it became publicly accessible after being serialized into client-rendered page data. Organizations using Next.js should review whether server-only variables are included in pageProps, configuration objects, or other data structures returned to the browser.
3. Secret Exposure Through Publicly Accessible .env Files
The following query returned 3 results: ".env" AND "sk-proj-" .env files are commonly used to store API keys, database passwords, service endpoints, and other application configuration values. These files should never be directly accessible over the internet. However, web server misconfiguration or deployment errors may place them inside a publicly served directory.
riminal IP Search Query: ".env" AND "sk-proj-"
One result located in the Republic of Korea was marked with a Data Leak indicator in Criminal IP and exposed multiple ports, including services associated with MySQL. When a .env file is exposed, the incident may involve more than a single AI API key. The same file may contain database credentials, internal API endpoints, administrator accounts, or cloud access information.
For this reason, organizations should not limit remediation to blocking access to the file. Every credential contained in the exposed file should be considered compromised and rotated.
4. Anthropic API Key Exposure
A search for the Anthropic API key prefix returned 11 results: "sk-ant-api03-" The identified assets were distributed across Europe and Asia, including infrastructure located in France. One result was marked with a Data Leak indicator in Criminal IP.
Criminal IP Search Query: "sk-ant-api03-
These results indicate that API token exposure is not limited to a single AI service provider.
Applications that integrate multiple AI platforms may store several provider credentials in the same configuration file or application code. A single exposure may therefore reveal access tokens for multiple external services.
5. Regional Distribution of OpenAI Project Key Prefixes
A broad search for the OpenAI project key prefix returned 29 results: "sk-proj-" The results included several assets hosted on DigitalOcean infrastructure across various regions. Multiple assets were associated with Next.js applications and Let's Encrypt certificates.
Criminal IP Search Query: "sk-proj-"
The presence of multiple results in a specific region or cloud environment does not necessarily indicate that the region or provider is inherently less secure. Instead, the findings show how development, staging, and production applications hosted in public cloud environments may unintentionally expose credentials through application content or deployment configuration.
6. Detecting AI Gateway Configurations on AWS Assets
The following search identified 8 assets. Some results contained references to AI Gateway applications, token pricing, cost controls, and key management functions.
Criminal IP Search Query: cloud_provider:AWS AND "OPENAI_API_KEY"
These references suggest that some assets may be associated with applications or management interfaces integrating AI APIs. However, the presence of an API-related string does not by itself confirm that an active production credential is exposed. Asset owners should determine whether the identified value is a valid credential, test data, an example value, or a previously revoked key.
7. Client-Side JavaScript with Embedded Credentials
Another identified example contained multiple hardcoded credentials in client-side JavaScript. The exposed values included an OpenAI API key, an administrator token, a database connection string, and another secret key.
JavaScript delivered to a browser must be treated as publicly accessible. Minification and code obfuscation do not provide effective protection for embedded credentials. Anyone who can load the application can inspect the JavaScript code and extract the values. Requests requiring private AI API credentials should be processed through a server-side API or backend service. Long-lived private keys should not be sent directly to a browser.
Key Vectors for AI API Token Exposure
The investigation identified several recurring exposure patterns.
Next.js and Frontend Data Serialization
Server-side environment variables may be exposed when they are included in NEXT_DATA, page properties, or other serialized application data. Frameworks that combine server-side and client-side logic within the same project require strict separation between values used internally by the server and values intentionally delivered to the browser.
Publicly Accessible .env Files
Environment files may become externally accessible when they are placed inside the web server document root or when static file handling is improperly configured. Because .env files frequently contain several types of credentials, a single exposed file may affect AI services, databases, cloud accounts, and internal systems simultaneously.
Debug and Error Pages
Detailed debugging interfaces, including Laravel Whoops pages and Django debug pages, can expose environment variables, file paths, internal addresses, and application configuration. When AI services are integrated into an application, these debug pages may also reveal AI provider credentials. Debug functionality should therefore be disabled in production environments.
Development and Production Assets on Public Cloud Infrastructure
The search results included assets hosted on AWS, DigitalOcean, and Alibaba-related infrastructure. The cloud providers themselves are not the cause of the exposure. The risk typically results from publicly accessible development environments, deployment errors, or production configurations copied into systems without appropriate access controls.
Security Risks of Exposed AI API Tokens
When an AI API token is exposed, an unauthorized party may use the token within the permissions, rate limits, and spending limits assigned to it.
Potential consequences include:
- Unauthorized AI API usage charged to the affected organization
- Generation of phishing, disinformation, or social engineering content
- Use of AI services within automated attack tools or malicious scripts
- Credential chaining with database accounts or internal API keys exposed on the same asset
- Sale or exchange of valid API credentials on underground markets
- Service disruption caused by exhausted usage quotas or cost limits
The risk becomes more significant when an AI API key is exposed together with administrator tokens, database credentials, or internal service information.
In such cases, the incident may extend beyond unauthorized AI usage and create opportunities for broader access to the affected environment.
Best Practices for Preventing AI API Token Exposure
1. Immediately Revoke and Rotate Exposed Keys
Any API key suspected of exposure should be revoked through the relevant provider dashboard and replaced with a new key. Organizations should also review provider logs for unexpected request volumes, unusual geographic activity, unauthorized model usage, and abnormal costs. Testing the exposed key directly is not recommended when ownership or authorization is unclear.
2. Keep Credentials Safe with a Secrets Management System
AI API keys should not be stored in source code, client-side JavaScript, or publicly accessible configuration files. Credentials should be managed through dedicated platforms such as:
- AWS Secrets Manager
- HashiCorp Vault
- Doppler
Applications should retrieve secrets only at runtime and only within the server-side components that require them.
3. Verify Frontend Framework Configuration Practices
Organizations using Next.js or similar frameworks should confirm that server-only environment variables are not included in:
- Client-side JavaScript bundles
- Page properties
- NEXT_DATA
- Public configuration objects
- Browser-accessible API responses
AI provider requests requiring private credentials should be routed through a backend service or server-side API route.
4. Deploy Automated Secret Scanning in CI/CD Pipelines
Secret scanning tools can detect AI API key patterns before code and build artifacts are deployed.
Examples include:
- TruffleHog
- GitGuardian
- Semgrep
Scanning should cover source repositories as well as compiled JavaScript, Docker images, static build outputs, deployment packages, and configuration files.
5. Enforce Least Privilege and Usage Limits
Organizations should use separate API keys for different applications, projects, and environments. A single key should not be shared across development, staging, and production systems. Where supported, organizations should apply:
- Model restrictions
- Request rate limits
- Monthly spending limits
- Feature-level permissions
- Automated usage alerts
These controls can reduce the impact of a leaked credential.
6. Perform Ongoing Monitoring of Internet-Facing Assets
The following Criminal IP queries can be used to identify assets requiring further review:
"sk-proj-"
"OPENAI_API_KEY" AND port:80
".env" AND "sk-proj-"
"sk-ant-api03-"
cloud_provider:AWS AND "OPENAI_API_KEY"
Search results should be treated as initial indicators rather than definitive proof that a token is valid or that an asset has been compromised. Each result should be reviewed by the authorized asset owner to determine whether the exposed value is active, sensitive, or already revoked.
Conclusion
Criminal IP Asset Search identified OpenAI and Anthropic API token patterns across Next.js rendering data, publicly accessible .env files, client-side JavaScript, and cloud-hosted web applications. These findings show that AI API credentials can become externally accessible through application design and deployment mistakes, even when developers originally intended to store them as environment variables. AI API keys should be managed with the same level of protection applied to database passwords and cloud access credentials.
Organizations adopting AI services should combine secure secrets management, strict separation of server and client code, CI/CD secret scanning, usage monitoring, and continuous inspection of internet-facing assets. By identifying exposed token patterns before they are abused, security teams can reduce unauthorized API use, unexpected costs, and the risk of broader credential-based compromise.
In relation to this, you can refer to FortiBleed Campaign Analysis: Why Internet-Exposed FortiGate Devices Become the Starting Point for Credential Theft.
This article is based on an analysis shared by the threat intelligence specialist, Clandestine.