shipshape

← Learn

How to stop a runaway OpenAI / API bill in your app

Calling a paid AI API directly from the browser exposes your key and your budget. Here is the safe pattern: a server proxy, rate limits, and spend caps.

If your app calls OpenAI, Anthropic, or another paid API directly from the browser, two bad things are true: your API key is exposed, and anyone can run up your bill. AI builders sometimes wire it this way because it’s the quickest path to a working demo.

The fix: never call a paid API from the client

Set spend limits as a backstop

If your key is already in the client

Rotate it immediately, then move the calls server-side. A key that has been public should be considered compromised.

Shipshape flags when your page appears to call a paid API directly from the browser (a "needs-deeper" warning — it never calls the API itself). → Scan your app

FAQ

Why is calling OpenAI from the browser dangerous?
It exposes your API key to anyone who views the page, and it lets any visitor spend on your account. Paid APIs should be called from a server endpoint that holds the key.

How do I prevent a runaway AI bill?
Proxy the call through a server-side endpoint, require auth, rate-limit it, and set a monthly usage cap and billing alerts on the provider account.

My API key is already in my frontend — what now?
Rotate it immediately (treat it as compromised), then move the call server-side behind auth and rate limiting.

Related questions

Check your own app
Free passive scan, ~10 seconds, no login.