Hey @TurtleMoon
Anything in a React (or other client-side) app is visible to the user. So if you have
const seviceAPIKey = process.env.SECRET_API_KEY
the value of this secret is visible. Better to use Netlify Functions as outlined in [Support Guide] How do I keep my API keys/tokens safe using Netlify Functions? Also check out [Support Guide] Using environment variables on Netlify correctly.