I pasted an API key into ChatGPT — here's exactly what to do

You pasted a config file, hit Enter, and then saw it: a live key sitting in the chat. Deleting the message doesn't undo it. Here's the checklist to run through in the next ten minutes.

First, accept the one rule that matters

Treat the key as compromised. Not "maybe compromised" — compromised. The moment your message was sent, it left your machine and landed on infrastructure you don't control. It may be retained in logs, backups, or your chat history for a long time, and you have no reliable way to reach into those systems and remove it.

Deleting the conversation makes it disappear from your screen. It does not guarantee removal from the provider's systems. So the fix is never "delete the chat" — the fix is always "make the key worthless."

Good news: rotating a key usually takes under five minutes, and in most cases nothing bad has happened yet. The point of moving fast is to keep it that way.

Step 1: Revoke or rotate the key — now

Do this before anything else. Here's where the revoke button lives for the most commonly leaked credentials:

If the key belongs to your employer, tell your team while you rotate, not after. Every security team on earth prefers "I leaked a key and already rotated it" over finding out from an audit.

Step 2: Check whether the key was actually used

Rotation stops future damage. Now confirm nothing happened in the window the key was live:

Set up a billing alert while you're in there if you don't have one. It's the smoke detector for the next incident.

Step 3: Find out how the key got into your clipboard

The paste is a symptom. The cause is usually one of these:

You don't have to fix your entire workflow today. But knowing which habit produced the leak tells you which guardrail to add.

Step 4: Add a guardrail so this doesn't repeat

The 5-minute checklist

  1. Revoke or rotate the exposed key. Do not just delete the chat.
  2. Update every app or service that used the old key.
  3. Check usage logs and billing for the exposure window.
  4. If it's a work key, tell your team immediately.
  5. Add one guardrail: shorter-lived keys, a secrets manager, or automatic masking on paste.

The leak itself is common — nearly every developer who uses AI chats daily has done it or come close. What separates a non-event from an incident is how fast you make the key worthless.

Never have this moment again

Secret Sanitizer masks API keys, tokens, and credentials locally — before they ever reach the chat. Free, open source, zero network calls.

Add to Chrome — Free

← All posts