Fix guide · critical · pinecone_key

Pinecone API key in your client bundle

Why it matters

Read/write/delete access to every index in your project. Attackers can dump your vector store, poison your retrieval, or just delete everything. Automated scrapers harvest these keys from public bundles within hours; assume the key is compromised the moment it shipped.

How to fix it

1. Revoke the key immediately at https://app.pinecone.io.
2. Move the new key to server-only env vars. Never use a name with the NEXT_PUBLIC_, VITE_, or PUBLIC_ prefix.
3. Pattern your calls as client → your API → Pinecone. Never client → Pinecone directly.
4. Set a spend or rate limit in the Pinecone console as a safety net.
5. Add a CI gate to fail any future deploy that includes the key pattern: vibecheck https://your-deploy.com --exit-on critical.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.