← Back to all articles
Your API Key Doesn't Belong in AI-Generated Code

Your API Key Doesn't Belong in AI-Generated Code

Published on June 8, 2026

You’re in ChatGPT or Claude, building a little tool — a link dashboard, a bot, a landing page that shortens URLs as people paste them. The assistant writes the whole thing in seconds. Somewhere in there it needs to call an outside service, so it writes:

const API_KEY = "toui_live_a1b2c3d4e5f6...";

…and asks you to drop your real key in. You do. It works. You share the chat with a teammate, deploy the artifact, or push the repo to GitHub.

Your key is now wherever that code went.

This isn’t a hypothetical. It’s the default outcome of building software inside an AI assistant in 2026, and almost nobody set out to leak a credential. The model just filled in the blank the most direct way it knew how — by hardcoding it.

Why this is specifically an AI-coding problem

Putting secrets in source code is an old mistake. What’s new is how easy AI tools make it, and how invisible the moment of decision has become.

When you set up a project the traditional way, there’s a deliberate step where you think about where the secret lives: an environment variable, a secrets manager, a .env file you remember to .gitignore. It’s friction, but the friction is the point — it’s the moment you decide not to ship the key.

Inside an AI assistant, that step disappears. You describe what you want, the code appears, and the secret-handling decision gets made for you — usually the wrong way. Two situations make it worse:

  • Front-end / shared artifacts. A ChatGPT Canvas or a Claude Artifact runs in the browser. Anything in that code is visible to anyone who opens it. There is no server, no environment, nowhere to hide a secret. A key in front-end code isn’t at risk of leaking — it’s already public.
  • Shared prompts and chats. The moment you paste a key into a conversation to get the code working, it’s in the transcript. Share the chat, screenshot it, or let it sync, and the key travels with it.

The uncomfortable truth: there is no safe way to put a normal API key into code that ships to a browser or into a prompt you share. A secret only stays secret if it never leaves a place you control.

The three honest options

Once you accept that, the design space narrows to exactly three approaches. Every credible answer is one of these:

  1. Use no key at all. An open, unauthenticated endpoint. Safe, but usually crippled — no per-account limits, no ownership, wide open to abuse, so it has to be locked down to near-uselessness.
  2. Use a key so narrow it’s safe to expose. Scope the credential down until a leak doesn’t matter — if the worst it can do is one harmless action, you can afford to publish it.
  3. Keep the secret out of the code entirely. A connector or OAuth flow where the credential lives in settings you control, and the code only ever holds a short-lived, revocable grant.

Most services only offer option 1 or hand you a full-power key and wish you luck. The interesting work is in options 2 and 3 — and that’s where we spent our time.

What toui did

toui is a URL shortener, so the stakes here are small and concrete — which makes it a clean place to get the pattern right. Two things, both shipped:

A connector, so the key never touches your code

toui runs as a remote MCP server. MCP (Model Context Protocol) is the open standard for letting an AI assistant talk to an outside service. You connect toui to Claude or ChatGPT once, signing in through OAuth, and from then on you just say “shorten this link with toui” and it happens inline.

The key detail: the authorization lives in the assistant’s connector settings, not in the chat and not in any code the model writes. The generated app never sees a secret, because there’s no secret to see. It’s listed in the official MCP Registry as io.toui/url-shortener. (Here’s the step-by-step setup for both Claude and ChatGPT.)

We’re not the first shortener with an MCP server, and that’s not the claim. The claim is about what’s underneath it.

Scoped, create-only keys — because a connector isn’t enough

Here’s the insight that’s easy to miss: a connector constrains the model’s hand, not the key’s permissions. If the credential behind your nice OAuth connector is a full-access key, then a leak — through a misconfiguration, a logged token, a compromised integration — is still total account compromise. The convenience layer doesn’t change the blast radius.

So toui keys carry a scope. A create-only key can do exactly one thing: make a short link. It can’t read your other links, can’t see your stats, can’t delete anything, can’t manage other keys. New keys default to create-only — least privilege by default, not as an opt-in you’ll forget.

This is what makes “even if it leaks, it can only shorten” true instead of reassuring. And it’s the right credential for the one case the connector doesn’t cover: a server-side app (say, something Claude Code scaffolds as a Node or Worker project) that calls the API directly. Keep it in an environment variable, make it create-only, and a slip-up is survivable instead of catastrophic.

The honest trade-off

A create-only key that leaks isn’t zero risk. Until you rotate it, someone could use it to create spam short links on your account. We bound that three ways — the narrow scope, a per-key rate and quota ceiling, and an account-level kill switch that cuts off every key at once if something’s wrong — but bounded isn’t the same as impossible.

We’d rather tell you the real blast radius than sell you “100% secure.” Security isn’t a feature you bolt on; it’s a set of trade-offs you make on purpose and explain plainly. The point isn’t that toui is uncrackable. It’s that the failure mode is “a few junk links you can wipe in one click” instead of “your whole account.”

If you build inside an AI assistant

The takeaway is bigger than any one tool:

  • Don’t let the model hardcode a secret. When it writes const API_KEY = "...", that’s the moment to stop and ask where that code is going to live.
  • If the code ships to a browser or a shared prompt, you need a connector or an OAuth flow — not a key. There’s no safe key for public code.
  • If you must use a key, use the narrowest one the service offers, and keep it server-side, in an environment variable, out of the chat.

For shortening links specifically, toui handles both paths — the MCP connector for working inside Claude and ChatGPT, and scoped create-only keys for everything else. The API is free to use, and connecting the assistant takes about a minute.

Your API key shouldn’t live in code the whole internet can read. With the right setup, it doesn’t have to.

Ready to try these superpowers?

Start using toui.io for free. No credit card required.

Get started free See pricing →