Client-side credential exposure happens when a secret is embedded in code delivered to the browser or app package. The user can recover it locally, which means the secret is no longer protected by a server-side trust boundary.
Expanded Definition
Client-side credential exposure is broader than accidental hardcoding in a browser script. It also includes credentials bundled into desktop apps, mobile packages, Electron builds, single-page application assets, and configuration files that ship to end users. Once the secret is delivered to the client, it can be extracted through source inspection, memory inspection, proxying, or static package analysis, so the trust boundary has already shifted away from the server.
In NHI security, the issue is not merely “where the code runs” but whether the credential was ever meant to leave controlled infrastructure. Public documentation from the OWASP Non-Human Identity Top 10 treats secret handling as a core identity risk, while NHI Management Group consistently frames static secrets as a primary cause of preventable exposure in Ultimate Guide to NHIs — Static vs Dynamic Secrets. Industry usage is still evolving on whether short-lived client tokens belong in this category, but the practical test is simple: if the client can recover it and reuse it outside the intended trust zone, it is exposed.
The most common misapplication is treating obfuscated code or packaged binaries as secure storage when the condition for extraction is still present.
Examples and Use Cases
Implementing client-side credential controls rigorously often introduces build and deployment friction, requiring teams to weigh user experience and offline functionality against the cost of stronger secret isolation.
- A mobile app ships with an embedded API key for a backend service; reverse engineering the app reveals the key, which can then be reused from outside the application.
- A browser-based frontend calls a third-party service with a secret token stored in JavaScript; anyone viewing bundled assets can recover it and impersonate the application.
- An Electron desktop client includes a cloud access key in its local configuration; attackers extract it from the install directory and pivot into the cloud environment. NHI breach patterns like this recur across incidents documented in the 52 NHI Breaches Analysis.
- A CI-generated front-end build accidentally publishes credentials in source maps, making them easy to discover through routine web inspection and repository scraping.
- A public AI demo app stores service credentials in the client bundle to simplify prototyping, then exposes internal model endpoints to unauthorized use, a pattern also reflected in the LLMjacking: How Attackers Hijack AI Using Compromised NHIs research from Entro Security.
For mobile and packaged software, the IOS app secrets leakage report shows how easily secrets can escape from client artifacts, while NIST SP 800-63 Digital Identity Guidelines reinforces that authenticators must be protected by appropriate assurance boundaries rather than casually embedded in distributable code.
Why It Matters in NHI Security
Client-side credential exposure is dangerous because it converts an internal NHI into a reusable public token. Once exposed, the secret can be harvested at scale, shared across criminal tooling, and used to access cloud APIs, SaaS services, or AI platforms without triggering the normal defensive controls that protect server-side assets. This is why NHI Management Group treats client-side exposure as a direct driver of secret sprawl and lateral abuse, especially when teams rely on static credentials instead of ephemeral alternatives described in the Guide to the Secret Sprawl Challenge.
The operational risk is not theoretical. In Entro Security’s LLMjacking research, attackers attempted access to publicly exposed AWS credentials in an average of 17 minutes, and in some cases as quickly as 9 minutes. That speed matters because exposure is often discovered only after anomalous usage, billing spikes, or account takeover symptoms appear. The most common failure mode is assuming a client-distributed token is “limited” enough to be safe, when in practice it becomes a standing credential with whatever privileges were granted to the application.
Organisations typically encounter the full impact only after abuse, credential rotation, or an incident response review, at which point client-side credential exposure becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers improper secret handling and exposure of non-human credentials. |
| NIST SP 800-63 | Defines identity assurance expectations for authenticators and credential protection. | |
| NIST CSF 2.0 | PR.AC-1 | Supports credential management and least-privilege access protection. |
Remove secrets from client-delivered code and replace them with server-side or ephemeral credential flows.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
