All articles
ResendEmailSecrets

Resend API Keys in Lead Forms: Why You Need to Rotate Them Tomorrow

Resend API Keys in Lead Forms: Why You Need to Rotate Them Tomorrow

Resend, the transactional email API, is one of the most-leaked secrets in 2026 vibe-coded apps. The contact-form pattern Lovable/Bolt generate puts the key in the client. Here's the audit.

April 21, 2026VibeWShield Team1 min read

Resend API keys start with re_. Grep any vibe-coded app/api/contact/route.ts and you'll find a pattern like:

const resend = new Resend(process.env.RESEND_API_KEY!);

Server-side, safe. Except when the generator also writes the same variable into next.config.js as env: { ... }, which is a Next.js idiom for exposing env to the client bundle.

Detect

curl -s https://your-app.com/_next/static/chunks/*.js |   grep -oE "\bre_[A-Za-z0-9]{24,}\b"

One hit, one rotation.

Rotate

  1. Resend dashboard → API Keys → revoke.
  2. Create a new key, scope it to Sending access only (not Full access).
  3. Add a rate limit at the API edge — Resend itself allows 100 requests/minute for free plans, and the attacker who just exfiltrated your key will exhaust your monthly quota before lunch.

Pattern to avoid

next.config.js:

env: { RESEND_API_KEY: process.env.RESEND_API_KEY },  // NEVER

Use server components or route handlers; they already have access to process.env. The env block in next.config.js is a legacy pattern that ships env to the client.

Free security scan

Test your app for these vulnerabilities

VibeWShield automatically scans for everything covered in this article and more — 18 security checks in under 3 minutes.

Scan your app free