Environment Variables Exposed in Bolt Client Bundle
Your Bolt.new application is bundling sensitive environment variables into the client-side JavaScript code. Anyone who opens browser DevTools can see your API keys, database connection strings, Stripe secret keys, or other credentials that should never leave the server.
This happens because Bolt's AI may prefix environment variables with VITE_ or NEXT_PUBLIC_, which tells the bundler to include them in the frontend build. While this is correct for public configuration like your site URL, it exposes any secret placed behind those prefixes.
The exposure is often discovered when you receive a massive bill from a third-party API, notice unauthorized data in your database, or when a user reports finding credentials in your page source. By then, the damage may already be done.
Error Messages You Might See
Common Causes
- VITE_ prefix on secret keys — Bolt generated environment variables like VITE_STRIPE_SECRET_KEY or VITE_DATABASE_URL, causing Vite to bundle them into client JavaScript
- Hardcoded secrets in source files — API keys placed directly in .ts or .tsx files rather than using environment variables at all
- No backend proxy for API calls — The app calls third-party APIs (OpenAI, Stripe, Twilio) directly from the browser with embedded keys
- All env vars loaded client-side — A shared config file imports every environment variable and is used in both server and client code
- .env file committed to Git — The .env file containing all secrets was committed to the repository and is visible in the build output
How to Fix It
- Audit your bundle for secrets — Open browser DevTools, go to Sources, and search for 'key', 'secret', 'password', 'token', 'DATABASE' in your JavaScript bundles
- Remove VITE_ prefix from secrets — Rename VITE_STRIPE_SECRET_KEY to STRIPE_SECRET_KEY so it is only available server-side
- Create server-side API routes — Move all third-party API calls to backend routes or Supabase Edge Functions where secrets stay on the server
- Rotate all compromised credentials — If secrets were exposed in production, immediately generate new keys in each provider's dashboard and revoke the old ones
- Separate public and private config — Create two config files: one for public values (VITE_ prefixed) and one for server-only values (no prefix)
- Add .env to .gitignore — Ensure your .env file is listed in .gitignore and remove it from Git history with git filter-branch or BFG Repo Cleaner
Real developers can help you.
Matt Butler
Software Engineer @ AWS
Daniel Vázquez
Software Engineer with over 10 years of experience on Startups, Government, big tech industry & consulting.
prajwalfullstack
Hi Im a full stack developer, a vibe coded MVP to Market ready product, I'm here to help
Stanislav Prigodich
15+ years building iOS and web apps at startups and enterprise companies. I want to use that experience to help builders ship real products - when something breaks, I'm here to fix it.
Omar Faruk
As a Product Engineer at Klasio, I contributed to end-to-end product development, focusing on scalability, performance, and user experience.
My work spanned building and refining core features, developing dynamic website templates, integrating secure and reliable payment gateways, and optimizing the overall system architecture.
I played a key role in creating a scalable and maintainable platform to support educators and learners globally.
I'm enthusiastic about embracing new challenges and making meaningful contributions.
Jen Jacobsen
I’m a Full-Stack Developer with over 10 years of experience building modern web and mobile applications. I enjoy working across the full product lifecycle — turning ideas into real, well-built products that are intuitive for users and scalable for businesses.
I particularly enjoy building mobile apps, modern web platforms, and solving complex technical problems in a way that keeps systems clean, reliable, and easy to maintain.
Antriksh Narang
5 years+ Experienced Dev (Specially in Web Development), can help in python, javascript, react, next.js and full stack web dev technologies.
Victor Denisov
Developer
legrab
I'll fill this later
zipking
I am a technologist and product builder dedicated to creating high-impact solutions at the intersection of AI and specialized markets. Currently, I am focused on PropScan (EstateGuard), an AI-driven SaaS platform tailored for the Japanese real estate industry, and exploring the potential of Archify.
As an INFJ-T, I approach development with a "systems-thinking" mindset—balancing technical precision with a deep understanding of user needs. I particularly enjoy the challenge of architecting Vertical AI SaaS and optimizing Small Language Models (SLMs) to solve specific, real-world business problems. Whether I'm in a CTO-level leadership role or hands-on with the code, I thrive on building tools that turn complex data into actionable value.
You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.
Get HelpFrequently Asked Questions
Which environment variables are safe to expose in the browser?
Only values that are truly public: your Supabase anon key (with proper RLS), site URL, Google Analytics ID, and public feature flags. Never expose database URLs, secret API keys, or payment processor secret keys.
How do I check if my keys have already been exploited?
Check the usage dashboard for each exposed service. Look for API calls you didn't make, unexpected charges, or unfamiliar data in your database. Also check if your .env file appears in any public Git commits.