Fix guide · critical · openai_key

OpenAI API key in your client bundle

Why it matters

Anyone reading your site's JS can issue inference calls billed to your account. Cost can hit thousands of dollars per day before you notice. Automated scrapers harvest these keys from public bundles within hours; assume the key is compromised the moment it shipped.

How to fix it

1. Revoke the key immediately at https://platform.openai.com/api-keys.
2. Move the new key to server-only env vars. Never use a name with the NEXT_PUBLIC_, VITE_, or PUBLIC_ prefix.
3. Pattern your calls as client → your API → OpenAI. Never client → OpenAI directly.
4. Set a spend or rate limit in the OpenAI console as a safety net.
5. Add a CI gate to fail any future deploy that includes the key pattern: vibecheck https://your-deploy.com --exit-on critical.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.