Fix guide · high · datadog_app_key_labelled

Datadog Application key in client code

Why it matters

Application keys (different from API keys) grant access to the Datadog API on behalf of the user who created them. Paired with an API key, attackers get read access to your dashboards, monitors, logs, traces — and write access to modify them.

How to fix it

1. Revoke at app.datadoghq.com/organization-settings/application-keys.
2. Move all Datadog API calls server-side. Application keys should never appear in browser-bundled code.
3. Audit Datadog usage logs for unfamiliar API calls during the exposure window.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.