Critical: act in the next 60 seconds

Resend API key (re_...) leaked: stop the spam before reputation tanks

Your Resend API key may be exposed. Here is the fastest possible recovery — three steps, no theory.

  1. Step 01

    Open Resend Dashboard → API Keys → revoke the leaked key.

  2. Step 02

    Create a new key, update server env, redeploy.

  3. Step 03

    Check Resend → Emails for unfamiliar sends. If found, contact Resend support to flag the abuse window.

Step 01 — Revoke

Kill the leaked credential first

API Keys → click the leaked key → Revoke. Confirm. Then "Create API Key" with role "Sending access" (lower blast radius than "Full access").

Open Resend API keys

Step 02 — Rotate

Update the new key in the right place

Server-side env vars only — never in client code, never with NEXT_PUBLIC_.

Server-only Resend client
import { Resend } from 'resend';
// Server only — never NEXT_PUBLIC_RESEND_API_KEY.
const resend = new Resend(process.env.RESEND_API_KEY);

Step 03 — Scan

Confirm nothing else leaked alongside it

Scan to find SMTP, mail, or other transactional secrets in your bundle.

How this usually leaks

  • 01Used in a client component for a "contact us" form.
  • 02.env committed to GitHub.
  • 03Embedded in serverless function logs that are publicly retrievable.

FAQ

Frequently asked questions

Will spam from a leaked key affect my domain reputation?
Yes — spam complaints accumulate on the sending domain (your domain), not Resend’s. A bad burst can blocklist your domain at Gmail/Outlook for weeks. Move quickly.
Should I rotate my DKIM keys too?
No. DKIM keys are domain-level signing keys held by Resend, not API access keys. They are unaffected.

Deeper dive

Long-term fixes for this leak class

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Read more

Concepts

Background

Sender Policy Framework

SPF is a DNS record listing which IP addresses are allowed to send email from your domain. The first line of email authentication.

Read more

DomainKeys Identified Mail

DKIM is a digital signature on outgoing email, letting receivers verify it came from you and was not tampered with.

Read more

Domain-based Message Authentication, Reporting & Conformance

DMARC tells receiving mail servers what to do with email that fails SPF or DKIM checks. The single most important email security record.

Read more

See what else leaked in the same deploy

Free scan. 70+ checks. Results in 60 seconds.