We're getting a report from HackerOne that our permanent Prismic API token is included in our app.js file.
On our side, we use environment variables to store this value safely, but the
gatsby-source-prismic plugin seems to include it anyway.
Is it safe to display this value publicly? According to this thread, then it seems the answer is no.
Which other token should we use instead, or is there a way to tell
gatsby-source-prismic not to display this value publicly?