Gemini/API key wallet-drain checklist for AI apps
AI app launches now need a wallet-drain check: exposed paid keys, unrestricted Google keys, client-controlled models, and missing rate limits.
For AI apps, a launch bug can become a billing incident. A leaked paid API key or unbounded AI proxy can let strangers spend your budget before you notice.
Check these before launch
- No OpenAI, Anthropic, Gemini, Replicate, OpenRouter, or similar secret key in browser-visible code.
- Google API keys are restricted by HTTP referrer and API scope when they are not Firebase public config.
- Client requests cannot choose arbitrary expensive models or providers.
- Routes that spend money require auth and rate limits.
- Provider-side spend caps and alerts are configured.
Shipshape's role
Shipshape flags confirmed exposed paid API keys as wallet failures and marks risky client-side patterns as incomplete review items instead of pretending it can prove cost behavior from the outside.
FAQ
What is wallet drain?
A financial abuse path where attackers use exposed keys or unbounded paid routes to run up API costs on your account.
Does Shipshape call paid AI APIs to test keys?
No. It stays conservative: confirmed exposed paid secrets are failures, and risky patterns become review items unless owner-configured checks prove more.
Related questions
- What Shipshape proof packs prove — and what they do not
- Is Shipshape legit? What it does and doesn’t do
- Supabase anon key vs service_role key: which is safe to expose?
- Is the Firebase apiKey a secret? (No — and here’s why)