IndustriesWorkPlaybookHow it worksAboutBook a systems auditBring us your idea

What breaks first on a vibe-coded app?

Straight answer

The predictable ones, in rough order: exposed keys get found, the open database gets read, logins that never really protected anything get bypassed, and the app buckles under real traffic or edge cases. Vibe-coded apps optimise for a working demo, so the parts that only matter with real users and real attackers are the parts that fail first.

Information current as at 5 July 2026

Apps built quickly with AI, sometimes called vibe-coded, tend to fail in a recognisable pattern, because they are all optimised for the same thing: making the demo work. The parts that only matter once real people and real pressure arrive are the parts that get skipped, and so they are the parts that break first. Knowing the pattern lets you reinforce the weak points before they give.

Plain English
Vibe-coded
Built rapidly by describing what you want to an AI, prioritising a working result over rigour.
Edge case
An unusual input or situation the happy-path build never accounted for.
Validation
Checking that input is what it should be before the app trusts and uses it.
Rate limiting
Capping how often something can be done, to blunt abuse and overload.

First to go: the exposed secrets

The earliest and most common failure is not the app crashing, it is a secret being found. Vibe-coded apps frequently ship with API keys and database credentials sitting in the frontend or a public repository, and automated tools scan the internet for exactly these strings constantly. So the first thing that breaks is often invisible: a key is discovered and quietly used, running up charges or reaching data, before the owner notices anything. Technology press reporting (XDA Developers) has described vibe-coded apps routinely shipping with exposed keys and data, and this is why it leads the list. It requires no skill to exploit a key left in plain sight, only a scanner that finds it.

Next: the open database

Close behind is the database that was never locked down. When an AI builder wires up data storage to make a feature work, it often leaves the access rules permissive or unset, because restrictive rules would get in the way of the demo. The result is a database that, in principle, anyone who learns its address can read from or write to. This holds firm right up until someone looks, and then it fails completely, exposing whatever it holds. Because customer data cannot be un-leaked, this is among the most damaging failures, and it is entirely silent until the moment it is not. An open database does not degrade gracefully; it is either protected or it is not.

No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Then: the logins that never really worked

The third failure is authentication that protects the appearance of privacy but not the substance. A vibe-coded app often hides a page behind a login in the browser, while the data behind it remains reachable by anyone who asks the server directly, bypassing the login entirely. Similarly, the check for whether one user may see another user's record is frequently missing, so changing a number in the address exposes someone else's information. These hold up under casual use, which is why they pass the demo, and give way the moment anyone tests them properly. The login looked like a wall; it was a curtain.

Finally: the weight of real use

The last category is everything that only matters at scale or under stress, and it arrives last because it needs real users to trigger. Inputs the build never anticipated, a strange character, a huge upload, an empty field, cause errors because validation was skipped. Actions that can be repeated endlessly, like sign-ups or messages, get abused because there was no rate limiting. Performance sags because the app fetches too much or was never tested beyond a handful of records. None of these show up when the maker clicks through gently. They surface when the app meets the messy reality of many people using it in ways the demo never did. The fix for the whole pattern is the same: treat the invisible parts, security, access, validation, resilience, as real work rather than assuming a working demo means a finished product.

Common questions

Questions, answered

Why do vibe-coded apps fail in such a predictable way?
Because they are all optimised for the same goal: a working demo. That focus reliably produces the same skipped areas, security, access control, input handling, resilience, so the same things break first across almost every app. The predictability is actually useful, because it tells you exactly where to look before anyone else does.
Is the first failure always something crashing?
Often not. The earliest failures are silent: an exposed key found and used, or an open database read, with no crash and no alert. The app keeps working normally while the damage happens quietly. That is what makes these failures dangerous, and why a deliberate security check matters more than waiting for something visible to break.
My app has run fine for months. Does that mean it is solid?
Not necessarily. Many of these failures are dormant until someone looks, so running smoothly mostly means no one has probed it yet. An open database or exposed key can sit unexploited for a long time and then fail all at once. Quiet is not the same as secure; a deliberate check is the only way to know.
What should I fix first?
Follow the order these fail in. Rotate and hide any exposed keys, then lock down your database access, then make sure your logins actually protect the data and not just the page, then add input checks and limits. That sequence matches where the risk is highest and where the fixes are most urgent.
No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Start here

Two doors. Same senior team.

Whether you can name exactly what you want built, or you just know something is leaking, the next step is the same conversation.