# AIP006 — hardcoded-credential
**Category:** security **Severity:** error
## What
Detects hardcoded API keys, tokens, and credentials in prompt text.
## Why it matters
Checking credentials into code — even in prompts — exposes them to version control, logs, and anyone with repository access. Leaks lead to unauthorized API usage and account compromise.
## Example
```
Your API key is sk-ant-api03-abcdefg1234567890_hijklmnop
```
This key is now in every history, backup, and log file.
## Fix
Use environment variables or a secrets manager:
```python
api_key = os.environ["ANTHROPIC_API_KEY"]
prompt = f"Use this key: {api_key}"
```
Or inject the key at runtime via environment injection.
## Autofix
This rule includes a safe autofix that redacts credentials to `***REDACTED***`.