Two Brandfetch API keys have been pasted into Claude Code chat transcripts and are considered compromised:
Steps:
- Brandfetch dashboard → API tokens → delete both compromised tokens
- Create a new token
- Update
web/.env locally
vercel env rm BRANDFETCH_API_KEY production && vercel env add BRANDFETCH_API_KEY production from repo root- Trigger a fresh deploy so the new key takes effect
These keys are server-only (no NEXT_PUBLIC_ prefix), so no client-side cache to worry about.
Acceptance: old tokens deleted in Brandfetch dashboard; new token in .env and Vercel prod env; deploy succeeds; brand-logos script can re-run with the new key (subject to quota — see #4).
Two Brandfetch API keys have been pasted into Claude Code chat transcripts and are considered compromised:
_Ox_dZ…(original, leaked during Phase 0 — flagged in STATE.md quirk Refresh brand-logos.json after Brandfetch quota reset (2026-05-31) #4)SdD6By…(current, leaked during the 2026-05-25 logos-debugging session)Steps:
web/.envlocallyvercel env rm BRANDFETCH_API_KEY production && vercel env add BRANDFETCH_API_KEY productionfrom repo rootThese keys are server-only (no
NEXT_PUBLIC_prefix), so no client-side cache to worry about.Acceptance: old tokens deleted in Brandfetch dashboard; new token in
.envand Vercel prod env; deploy succeeds; brand-logos script can re-run with the new key (subject to quota — see #4).