AS-101 · Module 2

API Key Security

3 min read

Your API key is a credit card number. Treat it like one. You would not paste your credit card number into a public GitHub repository, email it to a colleague in plaintext, or hardcode it into a file that gets committed to version control. Your API key deserves the same respect — because the consequences of leaking it are similar: unauthorized charges, data access, and a very unpleasant cleanup process.

Do This

  • Store API keys in environment variables — never in source code
  • Use a .env file for local development and add .env to your .gitignore immediately
  • Use a secret manager (AWS Secrets Manager, Doppler, 1Password) for production deployments
  • Rotate keys on a regular schedule and immediately if you suspect exposure

Avoid This

  • Hardcode API keys in your source files — even "temporarily"
  • Commit .env files to version control — one push and the key is in your git history forever
  • Share API keys over Slack, email, or any unencrypted channel
  • Use the same API key across development, staging, and production environments

Environment variables are the minimum viable solution. You create a .env file in your project root, put your keys there, and add .env to your .gitignore so it never gets committed. Your code reads the key from the environment at runtime instead of from a hardcoded string. This takes five minutes to set up and prevents the single most common AI security vulnerability. If you do nothing else from this course, do this.