What causes an API key or secret accidentally committed to Git?

A secret was committed in a config file or script, and even after deleting it the value still lives in every past commit and every clone, so it remains exposed.

How do I catch this when it only happens for some players?

Capture it automatically from the player's device with the full stack trace, the device and OS, the build, and a breadcrumb trail of what they did. That turns a vague complaint into a specific, reproducible issue you can fix without owning the hardware it happens on.

How to Remove a Leaked API Key From Your Git History

Quick answer: Rotate the leaked credential immediately, then rewrite history with git filter-repo to scrub the secret from every commit and force-push the cleaned history.

Deleting a leaked key in a new commit does nothing — it is still one click away in the history. Rotate first, then scrub. Here is the order that actually closes the hole.

How to fix it

1. Rotate the credential first

Assume the key is already compromised and revoke or regenerate it before touching history, because scrubbing the repo does not un-leak what crawlers may have already grabbed.

2. Scrub it from every commit

Run git filter-repo with the secret in a replacements file to purge it from all history, then force-push and ask collaborators to re-clone.

3. Add a secret scanner

Install a pre-commit hook like gitleaks so future secrets are caught before they ever reach a commit.

Catching the ones you can't reproduce

The hardest version of this to fix is the one you can't reproduce — it only happens on a player's hardware, OS, driver, or save state, under conditions that simply aren't present on your machine. A report that says “it crashed” or “it froze” gives you nothing to act on, so the bug survives release after release while quietly costing you players.

Automatic error capture closes that gap. Each failure arrives with its full stack trace, the device and OS, the build number, and a breadcrumb trail of what the player did right before it broke, so even a failure you have never seen becomes a specific, reproducible issue. Fold identical failures into one signature ranked by how many players each hits, and your worklist sorts itself worst-first instead of arriving as a stream of vague complaints.

This is where a tool like Bugnet earns its place. Its SDK captures every error automatically with the full stack trace plus device, OS, memory, build, and game-state context, folds duplicates into one grouped issue with an occurrence count, and ties each to the build it first appeared on — so you fix the problem that hurts the most players first and confirm it is gone when its signature disappears from the next release.

A crash you can name from its stack trace is a crash you can usually fix in minutes.