AAutomated.ly
Back to blog
security
api-keys
chatgpt
secrets

The most common API keys developers leak in ChatGPT

A breakdown of the 15 most frequently leaked secrets in AI chats — and how to recognize them before you hit send.

Automated.ly Team

The most common API keys developers leak in ChatGPT

Every day, thousands of developers accidentally paste API keys into ChatGPT, Claude, and other AI assistants. Most don't even realize it until it's too late.

We built SecretPaste to catch these leaks automatically. Here's exactly what we look for — and what you should watch out for.

The top 5 most leaked secrets

These are the patterns we see most often. They're included in SecretPaste's free tier because they're so common.

1. OpenAI API Keys

The irony isn't lost on us. Developers leak OpenAI keys into OpenAI's own chat interface.

sk-************************************

Pattern: Starts with sk- followed by 20+ alphanumeric characters.

Why it's dangerous: OpenAI keys have no spending limits by default. A leaked key can rack up thousands in charges overnight.

2. GitHub Personal Access Tokens

The most common leak we see. Developers copy code from their terminal and forget the token is in their clipboard.

ghp_************************************

Pattern: Starts with ghp_ followed by 36 characters.

Why it's dangerous: Full repository access. Attackers can push malicious code, steal private repos, or pivot to other services.

3. GitHub OAuth Tokens

Similar to PATs, but used for OAuth app authentication.

gho_************************************

Pattern: Starts with gho_ followed by 36 characters.

4. AWS Access Keys

The keys to your cloud kingdom.

AKIA****************

Pattern: Starts with AKIA followed by 16 uppercase alphanumeric characters.

Why it's dangerous: Depending on permissions, attackers can spin up crypto miners, access S3 buckets, or delete your entire infrastructure.

5. Stripe Live Secret Keys

Payment processing credentials that should never leave your server.

sk_live_****************************

Pattern: Starts with sk_live_ followed by 24+ characters.

Why it's dangerous: Direct access to payment processing. Attackers can issue refunds, access customer data, or make charges.

10 more secrets Pro users catch

SecretPaste Pro detects these additional patterns:

GitHub App & Fine-grained Tokens

ghs_************************************
github_pat_****************************

GitHub's newer token formats for apps and fine-grained permissions.

AWS Session Tokens

ASIA****************

Temporary credentials that start with ASIA instead of AKIA.

Stripe Restricted Keys

rk_live_****************************

Limited-permission Stripe keys — still dangerous if leaked.

Anthropic (Claude) API Keys

sk-ant-api03-****************************

Claude's API keys. Yes, people paste Claude keys into ChatGPT and vice versa.

Google Cloud API Keys

AIza****************************

Starts with AIza — used for Maps, Firebase, and other Google services.

Slack Tokens

xoxb-************-************-****************************

Bot, app, and user tokens all start with xox followed by a letter.

Twilio API Keys

SK********************************

Starts with SK followed by 32 hex characters.

SendGrid API Keys

SG.****************************.****************************

Distinctive format with two parts separated by a dot.

Private Keys (PEM format)

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQE...

Any PEM-encoded private key header. This is the worst one to leak.

How these leaks happen

It's rarely carelessness. It's usually:

  1. Copy-paste muscle memory — You copied a key to use it, then later paste into ChatGPT without checking your clipboard.

  2. Code snippets with embedded secrets — Your .env file or config has the key inline. You copy the whole block.

  3. Terminal output — You ran a command that printed a key, selected the output, and pasted it.

  4. Stack traces — Error messages sometimes include environment variables or connection strings.

What to do if you've leaked a key

  1. Revoke immediately — Don't wait. Go to the service's dashboard and revoke the key now.

  2. Generate a new key — Create a fresh key before revoking if your app needs zero downtime.

  3. Check access logs — Most services show recent API usage. Look for unauthorized calls.

  4. Rotate related secrets — If you leaked an AWS key, check if any other credentials were accessible with it.

Prevention

The best fix is to never leak in the first place:

  • Use environment variables — Never hardcode secrets
  • Clear your clipboard — After using a secret, copy something else
  • Use SecretPaste — We catch these patterns automatically before you paste

SecretPaste detects all 15 of these patterns and warns you before you accidentally share them. Install it free — the 5 most common patterns are included in the free tier.