Fix guide · high · datadog_api_key_labelled

Datadog API key in your client bundle

Why it matters

Submit fake metrics, drain your quota, or post events that pollute your monitoring. Automated scrapers harvest these keys from public bundles within hours; assume the key is compromised the moment it shipped.

How to fix it

1. Revoke the key immediately at https://app.datadoghq.com/organization-settings/api-keys.
2. Move the new key to server-only env vars. Never use a name with the NEXT_PUBLIC_, VITE_, or PUBLIC_ prefix.
3. Pattern your calls as client → your API → Datadog. Never client → Datadog directly.
4. Set a spend or rate limit in the Datadog console as a safety net.
5. Add a CI gate to fail any future deploy that includes the key pattern: vibecheck https://your-deploy.com --exit-on critical.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.