Fix guide · critical · together_ai_key

Together AI API key in your client bundle

Why it matters

Inference billed to your account across whichever models you've enabled. Automated scrapers harvest these keys from public bundles within hours; assume the key is compromised the moment it shipped.

How to fix it

1. Revoke the key immediately at https://api.together.xyz/settings/api-keys.
2. Move the new key to server-only env vars. Never use a name with the NEXT_PUBLIC_, VITE_, or PUBLIC_ prefix.
3. Pattern your calls as client → your API → Together AI. Never client → Together AI directly.
4. Set a spend or rate limit in the Together AI console as a safety net.
5. Add a CI gate to fail any future deploy that includes the key pattern: vibecheck https://your-deploy.com --exit-on critical.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.