How to Secure API Keys in a Next.js AI App

Anything delivered to a browser must be treated as public. A user can inspect JavaScript bundles, network requests, browser storage, and runtime state. Obfuscation does not turn a client-side secret into a protected credential.

Next.js documents that non-NEXT_PUBLIC_ environment variables remain server-side, while NEXT_PUBLIC_ variables are bundled into browser JavaScript. AI provider keys therefore belong only in server-side environment variables.

A secure request starts in the browser but terminates at your own protected server endpoint. That endpoint should authenticate the user, validate and constrain the input, enforce a per-user or per-IP usage limit, call the AI provider with the server-side key, and return a controlled response.

• Store provider secrets in server-only environment variables.
• Use a Route Handler or Server Action as the provider proxy.
• Authenticate before spending provider credits.
• Validate input length, type, and allowed model options.
• Apply rate limits and log abnormal usage.
• Return safe error messages without exposing provider details.

Common failures include adding a secret to a NEXT_PUBLIC_ variable, calling the provider directly from a Client Component, committing an .env file, returning verbose provider errors, and protecting an endpoint without rate limiting. Security requires both secret isolation and abuse controls.