API Key Security Best Practices Every Developer Should Know.
Source: Dev.to
You probably have API keys scattered everywhere right now—.env files, Notion docs, Slack messages, maybe even a sticky note. And honestly? Most developers do. But one mistake can expose your entire system.
1. Never commit API keys to GitHub
This is the most common mistake. You push your code and GitHub’s bots scan for exposed keys within seconds.
Fix:
- Add
.envto your.gitignoreimmediately.
2. Never hardcode keys in your codebase
Hardcoded keys end up in version history forever — even after you delete them.
Fix:
- Always use environment variables. No exceptions.
3. Separate dev and production keys
Your development keys and production keys should never be the same. If your dev environment gets compromised, your production environment is at risk.
Fix:
- Create separate keys for each environment in every project.
4. Rotate your keys regularly
Keys are like passwords; the longer they stay the same, the greater the risk.
When to rotate:
- An employee leaves.
- A key gets accidentally exposed.
- You finish working with a contractor.
Fix:
- Rotate them every 90 days or immediately after any of the events above.
5. Know where every key lives
If someone asked you right now where your OpenAI key is and you can’t answer in less than five seconds, you have a problem.
Fix:
- Keep all your keys in one organized, secure place.
6. Use the principle of least privilege
Every API key should only have the permissions it actually needs. If your key only needs read access—don’t give it write access.
I learned most of this the hard way while working across multiple projects. That’s why I built Keydock—a simple, secure vault for managing API keys.