fix: replace member.save() in invite.post.js and remove stale NUXT_PUBLIC_HELCIM_TOKEN env check

server/api/admin/members/invite.post.js

@@ -49,9 +49,7 @@ export default defineEventHandler(async (event) => {
         { expiresIn: '48h' },
       )
 
-      // Store jti for single-use enforcement in verify.post.js
+      // Store jti for single-use enforcement in verify.post.js (set after email succeeds below)
-      member.magicLinkJti = jti
-      member.magicLinkJtiUsed = false
 
       // Token in fragment — never hits server logs
       const loginLink = `${baseUrl}/verify#${token}`
@@ -87,11 +85,20 @@ export default defineEventHandler(async (event) => {
         continue
       }
 
-      // Mark member as active and record invite sent
+      // Mark member as active, record invite sent, store jti for single-use enforcement
-      member.status = 'active'
+      await Member.findByIdAndUpdate(
-      member.inviteEmailSent = true
+        member._id,
-      member.inviteEmailSentAt = new Date()
+        {
-      await member.save()
+          $set: {
+            magicLinkJti: jti,
+            magicLinkJtiUsed: false,
+            status: 'active',
+            inviteEmailSent: true,
+            inviteEmailSentAt: new Date(),
+          },
+        },
+        { runValidators: false }
+      )
 
       results.push({ memberId: member._id, email: member.email, success: true })
     } catch (err) {

server/plugins/validate-env.js

@@ -4,7 +4,6 @@ export default defineNitroPlugin(() => {
     'JWT_SECRET',
     'RESEND_API_KEY',
     'HELCIM_API_TOKEN',
-    'NUXT_PUBLIC_HELCIM_TOKEN',
   ]
 
   const missing = required.filter((key) => {