Imagine this: you're a vibe coder. 😐 (Many developers are already shocked they even imagined that for a second—but bear with us.)
You’ve heard of a service called bolt.new, and you've just been invited to a hackathon. Not just any hackathon, but a world vibe-coding hackathon. (Yeah, these guys actually went all in.)
But there’s a problem—you’ve been given a very limited number of tokens. And you quickly realize that’s nowhere near enough for your project. Frustrated, you're about to give up—until you see and read this post.
For those unfamiliar: Bolt.new is a browser-based platform for developing web applications using artificial intelligence. It allows you to create, edit, and deploy applications directly in the browser by generating code based on natural language prompts. In the free version, tokens are consumed quickly—especially if the AI makes mistakes you ask it to correct (which also costs tokens). And let’s be honest—paying $20 to $400 a month for a subscription? Not appealing.
So what did we do? That’s right—we removed the token limitation. And surprisingly, it was pretty easy.
Imagine the face of someone who just paid $500 just to get millions of tokens. 😏
And the funny part? This kind of issue appears in many other AI platforms as well. Which ones? We won’t say—because most of them have already been notified and have (hopefully) started fixing these vulnerabilities. That’s why this trick could be considered universal.
However, for some reason, bolt.new still hasn’t patched the vulnerability. And if it’s still open—why not share the method using it as an example?
⚠️ Important: We do not encourage abusing this method or using it to harm others. This post is intended to raise awareness so developers can fix the issue. This is not “hacking” in the classic sense—it’s more of a session manipulation technique.
📌 Bypassing AI Token Limits via Client-Side Session Manipulation
Below is a method for temporarily bypassing usage limits in the bolt.new AI platform, based on how the browser session (client-side) behaves. This method does not exploit security vulnerabilities or server-side logic, but instead relies on UI behavior when multiple accounts are used across different browser tabs.
🔁 Step-by-Step Instructions:
Open bolt.new in a private/incognito browser window to avoid cached data. (Although at the time of writing, this often works even without incognito mode.)
Log into an existing account and use up your available tokens.
Without closing the current tab, open a new private/incognito window or tab and log out of your current account.
Register a new account using a temporary email (e.g., via minmail or similar).
Go back to the original tab with your first account without refreshing the page.
Try submitting a new prompt to the AI assistant — in some cases, the system will continue using the previous session’s authentication data, allowing you to spend the new account’s tokens without formally logging into it.
⚠️ Notes:
This trick works because the authorization state on the client side (possibly in localStorage or in JavaScript memory) remains active until the page is manually refreshed.
This method does not guarantee consistent results and may stop working as authorization checks are improved.
Glitches may occur when restoring backups or returning to an earlier version.
And that’s the end of our little post. Thanks for reading and we wish you all the best, dear reader 😁
For quick contact, feel free to reach out via our Telegram chat:
👉 https://t.me/theangmarcore_chat
Reminder: We have already reported this vulnerability to the respective service developers.
[hidden by post author]