Critical: act in the next 60 seconds

SendGrid API key (SG.) leaked: revoke and audit mail logs

Your SendGrid API key may be exposed. Here is the fastest possible recovery — three steps, no theory.

  1. Step 01

    SendGrid → Settings → API Keys → Delete the leaked key.

  2. Step 02

    Create a new key with restricted permissions (e.g. Mail Send only).

  3. Step 03

    Activity Feed → filter for the leak window. Suspicious bursts = compromised; contact SendGrid support.

Step 01 — Revoke

Kill the leaked credential first

Settings → API Keys → three dots next to the leaked key → Delete. Confirm. Create New API Key → "Restricted Access" → check only Mail Send (uncheck everything else).

Open SendGrid API keys

Step 02 — Rotate

Update the new key in the right place

Server-side env vars only — never in client code, never with NEXT_PUBLIC_.

Server-only SendGrid client
import sgMail from '@sendgrid/mail';
sgMail.setApiKey(process.env.SENDGRID_API_KEY!);  // server only

Step 03 — Scan

Confirm nothing else leaked alongside it

Scan your live URL for any other transactional or messaging secrets in your bundle.

How this usually leaks

  • 01Hardcoded in a client component for "contact form" sends.
  • 02Embedded in a config.json deployed to /public/.
  • 03.env committed to source control.

FAQ

Frequently asked questions

My SendGrid account got suspended after the leak. What now?
Open a support ticket explaining the rotation. SendGrid suspends accounts on detected abuse to protect deliverability. They’ll usually reinstate after you confirm the leak is contained.
Should I move to subuser API keys?
For larger sending operations, yes. Subuser keys scope sending to a specific subuser. A leak only affects that subuser’s reputation, not the parent account.

Deeper dive

Long-term fixes for this leak class

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Read more

Concepts

Background

Sender Policy Framework

SPF is a DNS record listing which IP addresses are allowed to send email from your domain. The first line of email authentication.

Read more

DomainKeys Identified Mail

DKIM is a digital signature on outgoing email, letting receivers verify it came from you and was not tampered with.

Read more

Domain-based Message Authentication, Reporting & Conformance

DMARC tells receiving mail servers what to do with email that fails SPF or DKIM checks. The single most important email security record.

Read more

See what else leaked in the same deploy

Free scan. 70+ checks. Results in 60 seconds.