Configure SMTP credentials and reCAPTCHA — no VPS access needed.
For Gmail, use a 16-character App Password (not your account password).
Used in the frontend JS — safe to expose.
Used server-side only — never sent to the browser.