If your Perplexity API key exposed in a .env file or public repository, treat it as compromised immediately. Go to perplexity.ai/settings/api, delete the exposed key, and generate a new one before you do anything else. If the key appeared in a public repo, assume it was scraped within minutes — Perplexity usage logs will show you whether it was.
The harder question is how it got there. If you're running AI coding agents — Claude Code, Cursor, Copilot — those agents read your project files, including .env. A misconfigured tool call, a prompt injection in a file you opened, a session where the agent summarized your environment: any of these can move a key from your local disk to an LLM output to somewhere you never intended.
AgentGuard360 sits between your AI agents and the outside world. It scans every token leaving a session for credential patterns, redacts them before the model ever delivers them, and fires a dashboard and email alert the moment a pplx- key shows up in agent output. The key never leaves your machine in clear text.
You cannot unexpose the old key. You can make sure the new one does not follow it.
