API keys in browser code are public. Learn the difference between public configuration and private secrets before connecting payments or AI APIs.
14 min · Reviewed 2026
Secrets, Env Vars, And The Frontend Trap
API keys in browser code are public. Learn the difference between public configuration and private secrets before connecting payments or AI APIs.
Name the job before naming the tool.
Write the smallest useful scope the agent can finish.
Run the result as a user, not as a fan of the tool.
Inspect the diff, data access, and failure path before sharing.
Move the AI provider key out of client code. Create a server route that receives a prompt, validates length, calls the provider with the secret key, and returns only the safe response.Use this as the working prompt or checklist for the lesson.
What should the user be able to do when this is finished?
What data should the app or agent never expose?
What test proves the change works?
What rollback path exists if the output is wrong?
End-of-lesson check
15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-vibecoder-secrets-and-env
A developer embeds their Stripe payment API key directly in JavaScript code that runs in the user's browser. What is the primary security risk?
The API key could be accidentally deleted by the browser
The browser will block the API key from making requests
The API key will expire after 24 hours
Anyone who loads the webpage can view the API key in the source code
A developer wants to connect their AI coding assistant to a paid AI service. Where should the API key be stored?
In a JavaScript file that gets bundled with the frontend app
In environment variables on the server side, accessed only through server routes
In the README file for easy access by collaborators
In a publicly accessible config file on a CDN
What does it mean to 'inspect the diff' when reviewing code changes involving secrets?
Compare the production and staging environments
Measure the performance difference after deployment
Check the visual differences in the app's user interface
Review the code changes to ensure no secrets were accidentally committed
Which statement best describes a 'narrow public key' for client configuration?
A key that only works during business hours
A key that only works on mobile devices
A key with limited permissions scoped to specific, safe operations
A key that expires quickly
A developer builds an AI app that generates images. They want users to be able to generate images but don't want users to have unlimited free generations. What's the safe architecture?
Put the API key server-side, create backend endpoints that enforce usage limits, and have the frontend call those endpoints
Store usage limits in the browser's local storage
Use a free AI service that doesn't require an API key
Embed the AI service API key in the frontend and trust users to limit their own usage
What is the 'frontend trap' mentioned in this context?
Frontend frameworks are difficult to learn
Developers accidentally ship secrets to the browser where they become visible to anyone
Websites load too slowly on mobile devices
The browser prevents accessing certain APIs
When the lesson says to 'write the smallest useful scope the agent can finish,' what does this refer to?
Writing the shortest possible code regardless of functionality
Limiting the number of developers who can work on a project
Using the smallest available API
Breaking down a task into the smallest piece that delivers value and can be tested independently
What is a 'rollback path' and why is it important when working with secrets and API integrations?
A backup of the database
A way to undo a deployment if something goes wrong, limiting exposure time
A path that allows users to roll back their subscription
A way to reverse bank transactions
Why should you 'run the result as a user, not as a fan of the tool' when building with AI coding assistants?
Because testing as a user catches practical issues that developers might miss when excited about the tool's capabilities
Because fans of tools write worse code
Because AI tools are always wrong
Because users prefer different code styles
What does 'observable' mean in the context of building safe AI apps?
The app must be visually attractive
The code must have many comments
The app's behavior and data flows must be visible and measurable
The app must use logging frameworks
What type of data should an application never expose to the frontend?
User interface styling preferences
Feature flag configurations
Public API endpoint URLs
Private API keys, database credentials, and admin passwords
What is a server route in the context of protecting API keys?
A backend endpoint that acts as a proxy between the frontend and external APIs
A path that users take through the app
A navigation link on a website
A way to organize files on the server
What test would prove that API key protection is working correctly?
Viewing the page source and confirming no API keys appear in the code
Testing that forms submit successfully
Checking that the website loads quickly
Verifying that all images load
Why is it risky to use AI coding assistants to quickly build demos connecting to paid APIs?
Paid APIs don't work with AI assistants
The demo might work but accidentally expose the API key in the code
AI cannot connect to APIs
AI assistants are always slow
What does 'reversible' mean in the context of deploying changes that involve secrets?
API responses can be returned in reverse order
Changes can be quickly undone if they cause problems
