Fix guide · medium · bearer_token_inline

Hardcoded Authorization Bearer token in client

Why it matters

Whatever API the token authenticates to is callable by anyone reading your bundle. The risk depends on what the token allows — could be a shared service account, a personal access token, or a JWT.

How to fix it

1. Identify the token's source. Decode it if it's a JWT to see what it grants.
2. Rotate it at the issuer.
3. Replace with a runtime auth pattern — exchange a user-scoped session for an upstream call server-side.
4. Never inline auth headers in client request configs.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.