The Secret Leak

Narrated

You followed Lesson 1. You built the trip planner. You pasted your API key right into the prompt, and Claude Code put it right into the code. Then in Lesson 2, you pushed everything to GitHub.

Your API key is now baked into your code.

“But the repo is private,” you’re thinking. “Only I can see it.” And right now, that’s true. But here’s why secrets in code are still a problem — even in a private repo:

You might make it public one day. You build a portfolio, you want to show off your work, you flip the repo to public. Forgot the key was in there? So did thousands of developers before you. There are bots that scan GitHub constantly, twenty-four hours a day, looking for exactly this mistake. They find exposed keys within minutes. Sometimes seconds.

Your Git history remembers everything. Even if you delete the key from the code later, the old commit that contained it is still in your history. Anyone who clones the repo — a collaborator, a future employer, even you on a different computer — gets the full history, key included.

Private doesn’t mean secure. Private repos are access control — they decide who can see your code. But anyone you invite as a collaborator sees everything, including your key. And if GitHub itself ever has a security breach (it’s happened), private repos are exposed too.

It’s in plain text on every machine. Every computer that clones this repo now has your API key sitting in a file. Your laptop, your backup drive, your collaborator’s laptop. That’s a lot of places for a secret to leak from.

People have woken up to bills of hundreds of dollars — sometimes thousands — because they pushed an API key to GitHub and someone else found it. Google, OpenAI, and Anthropic all have systems that try to catch this. Google will sometimes email you a warning. But by the time that email arrives, the damage might already be done.

This is the most common and most expensive beginner mistake in software development. And the fix is surprisingly simple.