The Story
You followed Lesson 1. You built the trip planner. You pasted your API key right into the prompt, and Claude Code put it right into the code. Then in Lesson 2, you pushed everything to GitHub.
Your API key is now on the internet.
Let that sink in. The key that’s connected to your billing account — the one that lets anyone call the AI service and charge it to you — is sitting in a public repository where anyone in the world can read it.
This isn’t a hypothetical problem. There are bots that scan GitHub constantly, twenty-four hours a day, looking for exactly this mistake. They find exposed keys within minutes. Sometimes seconds. And when they find one, they use it. People have woken up to bills of hundreds of dollars — sometimes thousands — because they pushed an API key to GitHub and someone else found it and started using it to run their own requests.
Google, OpenAI, and Anthropic all have systems that try to catch this. Google will sometimes email you a warning. But by the time that email arrives, the damage might already be done.
This is the most common and most expensive beginner mistake in software development. And the fix is surprisingly simple.
This lesson continues with the full course
The story intro above is free to read. The full lesson — prompts, explanations, and adapt-it exercises — requires the Ship It ($69) tier or above.