Why API Key Security Matters
Noah generates frontend code that runs in the browser. Any API key or secret hardcoded in client-side code is visible to anyone who inspects the page. Exposed credentials can lead to:- Unauthorized API usage — Attackers can use your keys to make requests at your expense
- Data breaches — Exposed database credentials can expose all your user data
- Financial loss — Leaked wallet keys or payment credentials can lead to direct fund theft
How Noah Protects Your Secrets
Noah follows a secure-by-default approach for handling credentials:Automatic Detection
When you paste an API key or secret in the chat, Noah will guide you to store it securely instead of embedding it in your code.Secure Storage
Noah uses environment variables and Supabase secrets to store credentials:- Environment variables — Stored securely, accessible only server-side
- Supabase secrets — Managed through the Cloud tab, encrypted at rest
Server-Side Execution
For operations that require API keys, Noah generates Supabase Edge Functions to keep credentials server-side:- Your frontend calls the Edge Function
- The Edge Function reads the secret securely
- The API call happens server-side
- Only the result is returned to the frontend
Setting Up Secrets
Add Your Secret
Add your API key or credential with a descriptive name (e.g.,
OPENAI_API_KEY, STRIPE_SECRET_KEY)What Should Be a Secret?
| Store as Secret ✅ | Safe in Frontend ❌→✅ |
|---|---|
| API keys (OpenAI, Stripe, etc.) | Supabase anon key (designed for frontend use) |
| Database passwords | Public API endpoints |
| Private wallet keys | App configuration (non-sensitive) |
| OAuth client secrets | Public content or metadata |
| Webhook signing secrets | |
| Third-party service tokens |
Common Patterns
Using an External API Securely
Instead of this (insecure):- Create a Supabase Edge Function for the API call
- Guide you to store your key in Secrets
- Wire up the frontend to call the Edge Function
Webhook Verification
Third-Party Integrations
Best Practices
Describe, don't paste
Describe, don't paste
Instead of pasting API keys directly, describe what you want to build. Noah will set up the secure integration for you.
Use Edge Functions for all secret-dependent calls
Use Edge Functions for all secret-dependent calls
Any API call that requires credentials should go through a Supabase Edge Function, not the frontend.
Rotate keys regularly
Rotate keys regularly
If you suspect a key has been exposed, regenerate it immediately and update it in your secrets.
Use different keys for dev and production
Use different keys for dev and production
Keep separate API keys for development and production environments to limit the blast radius of any exposure.
Audit your code for leaked secrets
Audit your code for leaked secrets
Ask Noah: “Check my code for any hardcoded API keys or secrets” to scan for accidentally exposed credentials.
FAQ
What if I accidentally pasted an API key in the chat?
What if I accidentally pasted an API key in the chat?
Noah will detect it and guide you to store it securely. However, you should still regenerate the key from the provider’s dashboard as a precaution.
Are secrets encrypted?
Are secrets encrypted?
Yes. Secrets stored through Supabase are encrypted at rest and only accessible server-side through Edge Functions.
Can I use .env files instead?
Can I use .env files instead?
For local development, yes. But for deployed apps, use Supabase secrets to ensure credentials are never bundled in your frontend build.