AI ToolsFebruary 20265 min read

Stop Pasting API Keys Into Cursor

And Claude Code. And Windsurf. And Bolt. Here's what to do instead.

You're building a payment integration in Cursor. The AI generates a beautiful Stripe webhook handler. Then it asks:

"Can you provide your Stripe secret key so I can test this?"

You paste sk_live_xxxxxxxxxxxxx into the chat.

Congratulations. Your live Stripe key is now:

  • Stored in Cursor's conversation history
  • Transmitted to Anthropic, OpenAI, or whoever powers the AI
  • Potentially in their logs forever
  • Possibly used in future model training
  • Completely outside your control

You have no way to delete it. No way to audit who accessed it. No way to know if it's secure.

This isn't hypothetical

In late 2025, security researchers at Escape.tech scanned over 5,600 apps built with AI coding tools. They found 400+ exposed secrets — API keys sitting in plain text in publicly deployed applications.

These weren't amateur developers. These were people using professional tools to build real products. The speed of AI-assisted development outpaced their security habits.

The 3-minute fix

The solution is simple: never put the actual secret in your code or your prompts. Instead, fetch it at runtime.

Step 1: Store your secret in a vault (30 seconds)

Sign up for Kevorax (or any secrets manager). Add your Stripe key. Give it an alias like STRIPE_SECRET_KEY.

Step 2: Create a project token (30 seconds)

Create a project in Kevorax and assign your Stripe secret to it. Generate a project token. This token is the ONLY thing that goes in your .env file.

Step 3: Fetch at runtime (2 minutes)

When your code needs the Stripe key, fetch it:

async function getStripeClient() {
  const res = await fetch(
    'https://app.kevorax.com/api/runtime/secrets/STRIPE_SECRET_KEY',
    { 
      headers: { 
        'Authorization': `Bearer ${process.env.KEVORAX_TOKEN}` 
      } 
    }
  );
  const { value } = (await res.json()).data;
  return new Stripe(value);
}

Now when the AI asks for your Stripe key, you can say:

"The Stripe key is fetched at runtime from my secrets manager. Just use the getStripeClient() function."

Your actual key never appears in the conversation. Never appears in your code. Never appears in git.

But what about testing?

Use Stripe's test keys (sk_test_xxx) for development. These are designed to be exposed — they can only access test data. Store your test keys in Kevorax too, under a different alias like STRIPE_TEST_KEY.

When you switch to production, you just change which alias your code fetches. Zero code changes, zero risk of accidentally deploying with test keys.

The hidden benefit: instant rotation

Here's something nobody talks about: when your secrets are fetched at runtime, rotation becomes trivial.

Old way: Stripe says you need to rotate your key. You update it in Vercel, Railway, your local .env, three other places you forgot about. You redeploy everything. You miss one and production breaks at 2 AM.

New way: Update the secret in Kevorax. All your apps immediately start using the new key. No redeployment. No missed configs. Done in 30 seconds.

This applies to all AI tools

Cursor, Claude Code, Windsurf, Bolt, Lovable, Replit Agent — they all have the same problem. Any time you paste a secret into an AI conversation, you're creating a liability.

The fix is universal: store secrets in a vault, fetch at runtime, never paste live keys.

Ready to secure your workflow?

Kevorax takes 3 minutes to set up. $5/month flat. Your API keys never touch AI tools again.

Start Free Trial