docs(js): Quick Start guides: Auth tokens in env files

[inventarSarah]

In this PR, I've updated the Source Maps section in the Quick Start guides (manual setup) to ensure we recommend storing the Sentry auth token in an environment file instead of directly in the config files.

Updated for SDKs:

• Nuxt
• React Router Framework
• Solidstart

Closes: #13896

DESCRIBE YOUR PR

Tell us what you're changing and why. If your PR resolves an issue, please link it so it closes automatically.

IS YOUR CHANGE URGENT?

Help us prioritize incoming PRs by letting us know when the change needs to go live.

• Urgent deadline (GA date, etc.):
• Other deadline:
• None: Not urgent, can wait up to 1 week+

SLA

• Teamwork makes the dream work, so please add a reviewer to your PRs.
• Please give the docs team up to 1 week to review your PR unless you've added an urgent due date to it.
  Thanks in advance for your help!

PRE-MERGE CHECKLIST

Make sure you've checked the following before merging your changes:

• Checked Vercel preview for correctness, including links
• PR was reviewed and approved by any necessary SMEs (subject matter experts)
• PR was reviewed and approved by a member of the Sentry docs team

EXTRA RESOURCES

• Sentry Docs contributor guide

---

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
develop-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 2, 2025 0:52am
sentry-docs	❌ Failed (Inspect)			Jul 2, 2025 0:52am

[codecov]

Bundle Report

Changes will decrease total bundle size by 268.95kB (-1.22%) ⬇️. This is within the configured threshold ✅

Detailed changes

Bundle name	Size	Change
sentry-docs-server-cjs	11.53MB	-268.95kB (-2.28%) ⬇️
sentry-docs-client-array-push	9.8MB	-6 bytes (-0.0%) ⬇️

Affected Assets, Files, and Routes:

view changes for bundle: sentry-docs-server-cjs

Assets Changed:

Asset Name	Size Change	Total Size	Change (%)
1729.js	-3 bytes	1.64MB	-0.0%
../instrumentation.js	-3 bytes	973.36kB	-0.0%
9523.js	-3 bytes	949.31kB	-0.0%
../app/[[...path]]/page.js.nft.json	-89.65kB	601.56kB	-12.97%
../app/platform-redirect/page.js.nft.json	-89.65kB	601.48kB	-12.97%
../app/sitemap.xml/route.js.nft.json	-89.65kB	599.45kB	-13.01%

view changes for bundle: sentry-docs-client-array-push

Assets Changed:

Asset Name	Size Change	Total Size	Change (%)
static/chunks/pages/_app-*.js	-3 bytes	873.24kB	-0.0%
static/chunks/7750-*.js	-3 bytes	415.85kB	-0.0%
server/middleware-*.js	5.55kB	6.55kB	555.3% ⚠️
server/middleware-*.js	-5.55kB	1.0kB	-84.74%
static/FrkNalMrA0yvq2otYShAG/_buildManifest.js (New)	684 bytes	684 bytes	100.0% 🚀
static/FrkNalMrA0yvq2otYShAG/_ssgManifest.js (New)	77 bytes	77 bytes	100.0% 🚀
static/y1PN8i0UeThLNvataMyC7/_buildManifest.js (Deleted)	-684 bytes	0 bytes	-100.0% 🗑️
static/y1PN8i0UeThLNvataMyC7/_ssgManifest.js (Deleted)	-77 bytes	0 bytes	-100.0% 🗑️

[coolguyzone]

Looks good! 🎸

[s1gr1d]

I looked specifically on the Nuxt code, that's perfect 👍

[andreiborza]

Solidstart looking... solid 😅

[cursor]

Bug: Vite Misconfiguration Exposes Sentry Auth Token

The Sentry auth token is exposed to the client-side. The documentation incorrectly advises storing the token as VITE_SENTRY_AUTH_TOKEN and accessing it via import.meta.env.VITE_SENTRY_AUTH_TOKEN in vite.config.ts. Vite exposes all VITE_ prefixed environment variables to the client bundle, making the sensitive token publicly accessible. In vite.config.ts (which runs server-side during build), the token should be stored as SENTRY_AUTH_TOKEN and accessed using process.env.SENTRY_AUTH_TOKEN.

docs/platforms/javascript/guides/react-router/index.mdx#L414-L432

sentry-docs/docs/platforms/javascript/guides/react-router/index.mdx

Lines 414 to 432 in 842de7a

	// store it in an environment variable to keep it secure.
	authToken: import.meta.env.VITE_SENTRY_AUTH_TOKEN,
	// ...
	};
	export default defineConfig(config => {
	return {
	+ plugins: [reactRouter(),sentryReactRouter(sentryConfig, config)],
	};
	});
	```
	To keep your auth token secure, always store it in an environment variable instead of directly in your files:
	<OrgAuthTokenNote />
	```bash {filename:.env}
	VITE_SENTRY_AUTH_TOKEN=___ORG_AUTH_TOKEN___
	```

Fix in Cursor

---

Was this report helpful? Give feedback by reacting with 👍 or 👎