Back to Blog

Hardcoded Secrets and the Real Cost of Vibe Coding

We rescued a product where every API key was hardcoded in the source. The fix was not just rotating credentials. It was rebuilding trust in the deployment pipeline.

Adapter Team

A founder came to us after their first developer had shipped a working product in record time. The app looked great. Users were signing up. Revenue was starting to trickle in.

Then someone noticed that every API key, database credential, and third-party token was hardcoded directly into the source code.

Not in environment variables. Not in a secrets manager. Hardcoded as string literals scattered across dozens of files, committed to version control, and pushed to a public repository.

This is more common than you think

The rise of AI-assisted development has made it easier than ever to go from idea to working product. That is genuinely good. But speed without structure creates a specific class of problem that founders rarely see coming.

Hardcoded secrets are one of the most common. The AI generates working code. The developer accepts it. The app runs. Nobody asks where the credentials live until something breaks or someone looks.

By the time we were brought in, the credentials had been exposed in a public GitHub repository for weeks. Bots scan for exactly this. The window for exploitation was wide open.

Rotating credentials is only the beginning

The immediate fix sounds straightforward: rotate every secret, move them into environment variables, and redeploy. In practice, it took days.

Here is what the rotation actually required:

  • Auditing every file in the codebase to find every hardcoded value
  • Identifying which services each credential belonged to
  • Determining which credentials had been used by unauthorized parties
  • Rotating keys across payment processors, email providers, cloud infrastructure, and third-party APIs
  • Updating every environment where the app was deployed
  • Verifying that nothing broke after the swap

Several of the API keys had been used to provision infrastructure. One was tied to a payment processor with live customer data. The blast radius was not theoretical.

The patterns we see founders repeat

This project was not unusual. We see the same mistakes across early-stage products built under time pressure:

Secrets in source control. Environment variables exist for a reason. If credentials are in your codebase, they are in your git history forever, even after you delete them from the current files.

No separation between environments. The same credentials used in development, staging, and production. One leaked key compromises everything.

No access controls on infrastructure. A single root-level API key used for all operations. No scoped permissions. No audit trail.

No review process. Code goes from generation to deployment without a second set of eyes. The person writing the code is also the person approving it.

Trusting AI output without verification. AI tools generate functional code. Functional does not mean secure. The model optimizes for "it works," not for "it is safe to deploy."

What we rebuilt

After rotating every credential, we put structure in place so the problem could not recur:

  1. Environment-based configuration. All secrets moved to environment variables, managed through the hosting platform's secrets store.
  2. Git history cleanup. The repository history was scrubbed of every committed secret. The old repository was archived and a clean one was created.
  3. Scoped credentials. Each service got its own key with minimal permissions. No more single root key for everything.
  4. Pre-commit scanning. Automated checks that block any commit containing patterns that look like secrets.
  5. Deployment checklist. A lightweight review process that catches configuration issues before they reach production.

The real cost is not the rotation

The technical remediation took a few days. The harder cost was the uncertainty. Had the exposed credentials been used? Was customer data accessed? What liability existed?

For an early-stage product, that kind of uncertainty can be existential. Customers who learn their data was exposed through negligence do not come back.

Moving fast is fine. Skipping fundamentals is not.

We are not against rapid development. We help founders ship quickly every day. But there is a difference between moving fast and skipping steps that protect your users and your business.

Secrets management is not a nice-to-have. It is a baseline. If your product handles real data, processes payments, or integrates with third-party services, getting this right on day one is not over-engineering. It is the minimum.

The best time to set up proper secrets management is before you write your first API call. The second best time is right now.