Next.js secret scan

Check your Next.js app for leaked secrets

Scans your deployed Next.js app for API keys and tokens that ended up in the client bundle via NEXT_PUBLIC_ or accidental client component imports.

In Next.js, any environment variable prefixed with NEXT_PUBLIC_ is shipped to the browser. AI coding tools frequently prefix secrets with NEXT_PUBLIC_ to make them "work" without understanding the security implication. This scanner checks your deployed Next.js app's client bundle for API keys, tokens, and other credentials that should only exist server-side.