Hi,
On Jan. 28 '26 we found an issue with public projects where the API key of the underlying project might be returned on the public deployment page. This was found during an internal code review, and we have no signs that any API keys have been abused (but if you have any indication that this might have happened, please let us know).
We’ve immediately patched the issue on Jan. 28, and are currently rotating all API keys that could potentially be affected. This only affects project API keys marked as your “development key”, and only affects public projects (no other API keys or private projects affected).
If one of your API keys has been rotated you’ll see:
- A message in the Studio under Dashboard > Keys.
- If the API key has been used in the past 90 days with the Studio API → you’ll also get an email from me once the key has been rotated.
Cheers, and apologies for the inconvenience!
UPDATE 29 Jan. 2026 20:55 CET: All keys have been rotated, and all users with affected active (used in past 90 days) API keys are being notified via email. For non-active (not used in past 90 days) keys that were affected you’ll see a message under Dashboard > Keys.