Pasting an API key directly into a chat prompt to get your app working is one of those habits that feels harmless in the moment and catastrophic later. v0, Vercel's AI-powered app builder, just shipped a feature that catches this before it becomes a problem: it now automatically detects secrets in your prompt and converts them into environment variables on the spot.

The problem it's solving

When you're building fast with an AI coding tool, the path of least resistance is to paste credentials directly into the conversation. "Here's my OpenAI key, build me a chatbot." The key ends up hardcoded in generated source files, potentially committed to version control, and definitely sitting in your chat history. Automated secrets detection tools like GitGuardian scan codebases and config files for sensitive patterns, analyzing variable names, entropy signatures, and contextual indicators to identify exposed credentials before they reach production. v0 is now doing that same detection step, but proactively, right at the prompt layer.

The challenge with environment variable secrets lies in their dual nature: they can contain both sensitive credentials and harmless configuration values. Effective detection requires understanding context and patterns that distinguish between DATABASE_URL=postgres://user:pass@host/db (sensitive) and NODE_ENV=production (harmless).

What actually happens

When you type a prompt that includes something that looks like a secret, v0 intercepts it. Instead of embedding the raw value into generated code, it extracts the secret, stores it as an encrypted environment variable scoped to your project, and rewrites the generated code to reference it via