Has anyone experienced API keys apparently being used for workloads that don’t match their application?
I’m a solo Vercel user (no team members). I recently created a brand-new Anthropic API key, added it only to a single Vercel project’s Production environment variables, and my application only uses claude-haiku-4-5-20251001.
Shortly afterward, Anthropic logs showed usage from Sonnet, Opus, and other models that do not exist anywhere in my codebase, including large streaming requests.
A similar thing previously happened with OpenAI API keys, which is why I migrated this project to Anthropic in the first place.
I’ve since rotated credentials, enabled a passkey, logged out sessions, and locked down previously exposed API routes.
I’m not claiming Vercel is the cause, but I’m trying to identify a common factor. Has anyone seen anything similar, or are there Vercel audit logs available that would help investigate environment variable access or unexpected usage?
Hello, I’m an AI assistant from Vercel. If we find something I can’t solve, I’ll help create a support case for you.
Vercel
v0
Thank you. Can you also let me know which account are you inquiring about?
Hobby
What’s the problem?
Hello Vercel Support,
I am investigating what appears to be unauthorized usage of an Anthropic API key that was stored in my Vercel project.
Relevant details: I created a new Anthropic API key and added it only to the Production environment variables of a single Vercel project (Tabum). I am the only member of the Vercel account/team. The key was never committed to Git, shared, or added to any other project, service, or environment. The application code uses only the model claude-haiku-4-5-20251001. After the key was added to Vercel, Anthropic usage logs began showing requests using multiple models that my application does not call, including Sonnet, Opus, Fable, and large streaming requests. My codebase contains no references to those models and no code paths that would select them. I have since rotated credentials, enabled a passkey, logged out sessions, and reviewed project access.
Could you please review any available audit logs and help determine: Whether there were any unexpected logins, sessions, or account access events. Whether the environment variable may have been accessed, revealed, or used outside of normal deployment execution. Whether there is any project activity, deployment activity, or platform-level information that could help identify how the key may have been exposed or used.
I can provide timestamps, request IDs, screenshots, and additional details if needed.
Thank you for your assistance.
hello
?
I understand how concerning it is to discover unexpected usage on your API credentials. To help you investigate, I have reviewed the available platform audit logs for your account and the tabum project.
Our audit records show no unexpected logins, sessions, or unauthorized account access. Every single action on your account and project was initiated by your primary user identity (jayhilwig@gmail.com).
Here are the specific audit log events regarding your ANTHROPIC_API_KEY for today (June 10, 2026):
Environment Variable Viewed: At 17:23:48 UTC, the environment variable was decrypted and viewed in the Vercel Dashboard by your user account.
Environment Variable Deleted: At 17:46:29 UTC, the variable was deleted from the project.
Environment Variable Re-added: At 17:59:46 UTC, the variable was added back to the project for the Production and Preview environments.
Production Deployment: At 17:59:56 UTC (10 seconds later), a new production deployment was triggered, which successfully built and injected the new environment variable value.
There are no other read, edit, or view events for this environment variable recorded by any other user or system process.
Given that there are no signs of platform-level compromise or dashboard access by third parties, there are two primary vectors through which these unexpected model calls might be occurring:
Vector A: Dynamic Model Routing via an Unauthenticated API Route: If your application has a public API endpoint (such as /api/chat or /api/generate) that routes requests to Anthropic, check if your code dynamically reads the model parameter from the incoming request body (e.g., model = req.body.model || 'claude-haiku-4-5-20251001'). If the endpoint has no authentication or rate limiting, an attacker could scan and find your API endpoint and send custom payloads specifying expensive models like Sonnet or Opus. In this scenario, your API key never leaves Vercel, but attackers abuse your serverless function to make the calls.
Vector B: Client-side Exposure or Build Bundling: Ensure that the API key is never referenced or imported in a client-side component or file that gets compiled into the browser bundle. Even without the NEXT_PUBLIC_ prefix, statically referencing server-side process variables in client-side files can sometimes cause bundlers to inline the value into the public JavaScript files.
Vector C: Repository and Local History: Even if the key is not currently in your active codebase, check if it was ever accidentally committed in a previous Git commit or alternative branch. Automated crawlers constantly scan public and private repositories for credentials. Also, verify that any local .env files were fully ignored and never committed to your repository’s history.
To help you investigate this further at the platform and runtime level, I have prepared a support case for you. The case form is visible below this message. You can submit it to have our engineering and security teams review your serverless function execution logs and investigate the request patterns.
The environment variable history is helpful and confirms that the variable was only modified through my account. However, I do not believe the current evidence fully aligns with the explanations provided so far.
My application is hardcoded to use only claude-haiku-4-5-20251001.
The Anthropic logs associated with this key show requests using Opus 4.6, Opus 4.7, Opus 4.8, Sonnet, and Fable, along with large streaming requests and token counts that do not resemble my application’s scheduled workload. Those model identifiers do not exist anywhere in my codebase.
Regarding the three possible vectors you mentioned:
Vector A: Dynamic model routing through an unauthenticated API route
I understand this possibility. However, the application does not dynamically select Anthropic models from user input. The model is explicitly defined in code as claude-haiku-4-5-20251001.
If Vercel can correlate the Anthropic requests to specific function executions, request logs, or deployment traces, I would appreciate that information. That would help determine whether the requests originated through my application at all.
Vector B: Client-side exposure or build bundling
I have reviewed the codebase and the Anthropic API key is not referenced in any client-side component, browser bundle, or NEXT_PUBLIC_* variable. The key exists only as a server-side environment variable.
Additionally, the most recent Anthropic keys were stored as Sensitive Environment Variables and were not stored in source code, browser-accessible configuration, or client-side assets.
If Vercel has any tooling that can confirm whether a secret appeared in a client bundle or deployment artifact, I would be interested in reviewing that information.
Vector C: Repository history or local files
The key in question was newly created and added directly to Vercel. It was never committed to Git, pushed to a repository, shared with collaborators, or used in another project. I am the sole member of the account/team.
For that reason, I do not believe repository history can explain usage of this particular key.
I would also like to mention that this is not the first occurrence. Prior to migrating this project to Anthropic, I experienced similar unexplained usage patterns with OpenAI API keys. I am not asserting that the two incidents have the same root cause, but the similarity is part of why I am attempting to identify any common factor across my deployment workflow, tooling, or environment.
For additional context, I documented the investigation publicly here:
At this point, my primary goal is determining whether the observed Anthropic requests can be correlated to actual Vercel runtime executions.
Specifically:
Can the Opus/Sonnet/Fable requests be tied to specific Vercel function executions?
Can they be correlated to a deployment ID or runtime trace?
Are there runtime logs available that would show the actual model value being sent from my deployed application?
Does the “Environment Variable Viewed” event indicate that the secret value itself was revealed/decrypted, or does it simply indicate that the Environment Variables page was accessed?
If the secret value was actually revealed, is there associated IP address, browser, user agent, or session information available for that event?
The key contradiction I am trying to resolve is that the deployed application is hardcoded to Haiku, while the observed requests are using Opus, Sonnet, and Fable. Understanding whether those requests originated from Vercel runtime executions would significantly narrow the scope of the investigation.
Thank you for any additional detail your team can provide.
That state: *If you discover a security vulnerability in v0, please report it to our security team at security@vercel.com. We take all security reports seriously and will respond promptly.
*
Note I have been a paying v0 customer on and off for over 2 years. I was disappointed to receive the “unmonitored email” AI response below. I don’t understand the request for me to be a Premium member to get actual human support when I’m an active v0 user. Why are they distinguished? I don’t actually use strict Vercel offerings at all but I have to have an account outside of v0?
__________________________________
Hi there,
Thanks for reaching out. This inbox does not provide security support and is not actively monitored for help requests. To make sure your message reaches the right team, please use one of the channels below.
For help with your Vercel account, including security-related issues: please go to Help . This is the fastest path to get help
◦ This includes account access problems, billing, MFA, audit logs, suspicious activity on your account, suspected account takeover or compromise, abuse on a project you own, or any other product issue.
◦ Vercel’s Customer Support team monitors this channel and will route your request to the right specialist (including our Security, Trust & Safety, or Abuse teams) if escalation is needed.
◦ Reaching out via vercel.com/help, even for security-flavored concerns, will get you a response far faster than emailing security@.
For reporting a security vulnerability in Next.js or the Vercel platform, please submit through our HackerOne program: HackerOne
For compliance, security documentation, and trust resources such as SOC 2, ISO, pen test summaries, sub-processors, and security questionnaires, see our Trust Center at: https://security.vercel.com/
Law enforcement requests, subpoenas, court orders, preservation letters, and civil discovery: please email legalrequests@vercel.com
Thank you for bringing this to our attention. To ensure this is investigated with the necessary priority and privacy, please report all security-related concerns, potential exploits, or abuse directly to the Vercel Security Team.
Reporting via this official channel is the fastest way to reach our security engineers and ensures that sensitive information is handled in a secure environment rather than a public forum.
I am a Vercel Hobby user investigating repeated unexplained API usage involving credentials that were stored in my Vercel account and would appreciate review by the appropriate security team.
I am not alleging that Vercel is responsible for this activity. I am attempting to determine whether there is any platform-level information that can help explain what I am observing.
Summary:
I am the sole member of my Vercel account/team.
I recently created a new Anthropic API key and stored it as a Sensitive Environment Variable in a single Vercel project (Tabum).
The application is hardcoded to use only claude-haiku-4-5-20251001.
After the key was added to Vercel, Anthropic logs showed requests using models that do not exist anywhere in my codebase, including Opus 4.6, Opus 4.7, Opus 4.8, Sonnet, and Fable.
The logs also show large streaming requests and token counts that do not resemble my application’s expected workload.
Similar unexplained usage previously occurred with OpenAI API keys before I migrated the project to Anthropic.
I previously contacted Vercel support through the AI support workflow. The response indicated that:
The environment variable was viewed.
The environment variable was deleted.
The environment variable was re-added.
A deployment occurred afterward.
The response suggested three possible explanations:
Unauthenticated API route abuse.
Client-side exposure or build bundling.
Repository history or local file exposure.
I have investigated each of these possibilities:
The application does not dynamically route models from user input. The Anthropic model is explicitly defined in code as claude-haiku-4-5-20251001.
The API key is not present in client-side code, browser bundles, or NEXT_PUBLIC_* variables.
The key was newly created, never committed to Git, never stored in source control, and never shared with collaborators.
The most recent keys were stored as Sensitive Environment Variables.
I have rotated credentials multiple times, enabled passkeys, reviewed account access, and isolated Claude Code-related keys.
The primary issue I am attempting to resolve is that the deployed application is hardcoded to Haiku, while the observed requests are using Opus, Sonnet, and Fable models.
I would appreciate any assistance determining:
Whether the observed Anthropic requests can be correlated to actual Vercel function executions.
Whether deployment traces, runtime logs, or request traces can identify the source of those requests.
Whether the “Environment Variable Viewed” event represents the secret value being revealed/decrypted versus simply accessing the environment variables page.
Whether there is any associated session, browser, user agent, or IP information available for that event.
