Indeed, I see REACT_APP_SERVICE_ID and REACT_APP_PUBLIC_KEY embedded in the code instead of the values of the variables. Do check out
If using Vite, you might also check out the Vite Env Variables documentation.
I would advise against doing what you currently are, as those private variables end up exposed which means anyone could potentially use your API KEY to send emails. Better to hide sensitive keys/tokens in a function. See