-
Keep your API keys secret.
Never share them in emails, chats, screenshots, or public forums.
Treat them like passwords — only share with trusted systems, never with people.
Use access controls to limit who in your team can view or manage keys.
-
Do not hardcode keys.
Avoid embedding keys directly in your code or repositories.
Use environment variables, secret managers (e.g., AWS Secrets Manager, Vault), or configuration files excluded from version control.
Run automated scans to detect accidental exposure of keys in commits.
-
Rotate keys regularly.
Replace keys on a fixed schedule (e.g., every 60–90 days).
Rotate keys immediately if a team member leaves or roles change.
-
Revoke unused keys.
Delete any keys that are no longer in use.
Regularly audit all keys and confirm they still have a valid purpose.
Dormant or forgotten keys are common attack vectors.
-
Monitor API key usage.
Review usage logs regularly to spot unusual activity. Watch for requests from unexpected IP addresses, geographies, or times.
Set up alerts for suspicious activity, like high request volumes or new patterns.
-
Store keys securely.
Use secure vaults, password managers, or encrypted storage solutions.
Never keep keys in plain text files or spreadsheets.
Limit local storage of keys on developer machines whenever possible.
-
Act quickly on compromise.
If you suspect a key has leaked, revoke it immediately.
Generate a new key and update all affected systems without delay.
Investigate the cause of the compromise and take steps to prevent recurrence.
See how to add first API key and migrate to the API key authentication.