Fix guide · critical · brevo_api_key

Brevo (formerly Sendinblue) API key in your client bundle

Why it matters

Send mail on your behalf, manage contact lists, modify automation flows. Automated scrapers harvest these keys from public bundles within hours; assume the key is compromised the moment it shipped.

How to fix it

1. Revoke the key immediately at https://app.brevo.com/settings/keys/api.
2. Move the new key to server-only env vars. Never use a name with the NEXT_PUBLIC_, VITE_, or PUBLIC_ prefix.
3. Pattern your calls as client → your API → Brevo (formerly Sendinblue). Never client → Brevo (formerly Sendinblue) directly.
4. Set a spend or rate limit in the Brevo (formerly Sendinblue) console as a safety net.
5. Add a CI gate to fail any future deploy that includes the key pattern: vibecheck https://your-deploy.com --exit-on critical.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.