Lock up your API keys and passwords - shippingszn launch readiness
Every app you build talks to other services — Stripe for payments, OpenAI for AI, your database for data. Each of those gives you a long secret string (an API key) that proves it's you. If those strings are sitting inside your code, anyone who looks at your code can use them. That includes anyone you accidentally share a screenshot with, anyone you push to GitHub, and anyone who gets into your builder account.
This is the #1 way AI-built apps get destroyed. One leaked OpenAI key can rack up thousands of dollars over a weekend. One leaked Stripe key can let someone refund every charge you've ever made. Every modern builder gives you a place to store these safely — usually called "Secrets," "Environment Variables," or ".env" — you just have to use it.
The shippingszn CLI includes automated checks for this launch-readiness control.
The Launch Fix Kit keeps scan-specific findings, file and line evidence, AI-builder punch-list tasks, and verification steps tied to the paid report.
- Find the Secrets / Environment Variables panel in your builder (usually a lock or key icon in the sidebar). Replit calls it Secrets, Vercel calls them Environment Variables, Bolt calls it .env, etc.
- Search your code for anything that looks like a long random string — things starting with "sk-", "AIza", or any variable named "API_KEY", "SECRET", "TOKEN", or "PASSWORD".
- Run a git-history scan, not just a search through current files. Tools like gitleaks (free, one command: `gitleaks detect`) check every commit you've ever made — including ones where you 'removed' the key by editing the file. A removed key still lives in history forever, and bots scrape public GitHub for these patterns within minutes of a push.
- For each one, add it to Secrets / env vars with a clear name (like OPENAI_API_KEY), then ask your AI builder: "replace the hardcoded OPENAI_API_KEY in my code with the environment variable."
- Test that the app still works after the swap.
Run the scanner | Unlock Launch Fix Kit
Canonical URL: https://shippingszn.com/i/secrets/