Gemini API Key Is Committed to GitHub Repos #6811
Description
Can we access your project?
- I give permission for members of the FlutterFlow team to access and test my project for the sole purpose of investigating this issue.
Current Behavior
When a Gemini API key is added in Settings → Gemini in FlutterFlow, and the project repository is pushed to GitHub, the Gemini API key is automatically committed to the repository.
This exposes a private, billable API key in plaintext to anyone with access to the repo (and potentially the public internet if the repo is public).
Expected Behavior
• API keys must never be committed to version control by default.
• The Gemini API key should be:
• Stored securely (e.g. server-side, encrypted, or via environment variables), or
• Explicitly excluded from GitHub commits, or
• Replaced with a placeholder in the repo and injected at build/runtime.
• At minimum, users should receive a clear warning before any secret is pushed.
Steps to Reproduce
1. Open a FlutterFlow project.
2. Navigate to Settings → Gemini.
3. Enter a valid Gemini API key.
4. Enable GitHub integration or push the project to GitHub.
5. Inspect the committed files in the GitHub repository.
Note the following:
• The Gemini API key is included in the committed source files.
• The key is visible in plaintext within the GitHub repository.
• No warning is shown to the user that a secret will be committed.
• The key is not masked, encrypted, or excluded via .gitignore.
Reproducible from Blank
- The steps to reproduce above start from a blank project.
Bug Report Code (Required)
ITFfi87huJVgoe5E1q6JasFKliQXJnkcTbkz0tZ+bwohfbLvOrMqO+PRVBNLYteYfAhiP1WLmTkCpfPGuPzPGsAEFzaCG4h9+L5XQRXjfEWtVYiNDIeaY3MlO9tTfUiD5sPQohNCIvp1SVof3GeANvCdG3qCf9qOYwx5e6fDbOY=
Visual documentation
Loom: https://www.loom.com/share/50f172e635ee4ec38ab3ddd2b1d7b8bb
Environment
See belowAdditional Information
