Fix guide · critical · atlassian_api_token

Atlassian (Jira, Confluence, Trello) API key in your client bundle

Why it matters

Read/write access to your Jira issues, Confluence pages, Trello boards. Attackers can exfiltrate internal documentation or post bogus issues. Automated scrapers harvest these keys from public bundles within hours; assume the key is compromised the moment it shipped.

How to fix it

1. Revoke the key immediately at https://id.atlassian.com/manage-profile/security/api-tokens.
2. Move the new key to server-only env vars. Never use a name with the NEXT_PUBLIC_, VITE_, or PUBLIC_ prefix.
3. Pattern your calls as client → your API → Atlassian (Jira, Confluence, Trello). Never client → Atlassian (Jira, Confluence, Trello) directly.
4. Set a spend or rate limit in the Atlassian (Jira, Confluence, Trello) console as a safety net.
5. Add a CI gate to fail any future deploy that includes the key pattern: vibecheck https://your-deploy.com --exit-on critical.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.