Google API key
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A Google API key (AIza...) was found. Browser Firebase/Maps keys are meant to be public but must be locked to referrers/APIs; server keys with no restriction can run up billing or read data.
Why it matters
A Google API key controls access to Google APIs billed to your project. Browser keys for Firebase or Maps are designed to be shipped publicly, but only if they are restricted to specific referrers and APIs; an unrestricted key can be abused to run up billing or call other enabled services. A server-side AIza key committed to code is a straightforward credential leak.
How to fix it
For browser keys, add HTTP referrer and API restrictions in the Google Cloud console so a copied key is useless elsewhere. For server keys, move the value into an environment variable and restrict it by IP or API. Regenerate the key if it was a server key or an unrestricted browser key.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo