Best practice in API key use

  1. Keep your API keys secret.

    • Never share them in emails, chats, screenshots, or public forums.

    • Treat them like passwords — only share with trusted systems, never with people.

    • Use access controls to limit who in your team can view or manage keys.

  2. Do not hardcode keys.

    • Avoid embedding keys directly in your code or repositories.

    • Use environment variables, secret managers (e.g., AWS Secrets Manager, Vault), or configuration files excluded from version control.

    • Run automated scans to detect accidental exposure of keys in commits.

  3. Rotate keys regularly.

    • Replace keys on a fixed schedule (e.g., every 60–90 days).

    • Rotate keys immediately if a team member leaves or roles change.

  4. Revoke unused keys.

    • Delete any keys that are no longer in use.

    • Regularly audit all keys and confirm they still have a valid purpose.

    • Dormant or forgotten keys are common attack vectors.

  5. Monitor API key usage.

    • Review usage logs regularly to spot unusual activity. Watch for requests from unexpected IP addresses, geographies, or times.

    • Set up alerts for suspicious activity, like high request volumes or new patterns.

  6. Store keys securely.

    • Use secure vaults, password managers, or encrypted storage solutions.

    • Never keep keys in plain text files or spreadsheets.

    • Limit local storage of keys on developer machines whenever possible.

  7. Act quickly on compromise.

    • If you suspect a key has leaked, revoke it immediately.

    • Generate a new key and update all affected systems without delay.

    • Investigate the cause of the compromise and take steps to prevent recurrence.

     

See how to add first API key and migrate to the API key authentication.