-
Keep your API keys secret.
- Never share them in emails, chats, screenshots, or public forums.
- Treat them like passwords — only share with trusted systems, never with people.
- Use access controls to limit who in your team can view or manage keys.
-
Do not hardcode keys.
- Avoid embedding keys directly in your code or repositories.
- Use environment variables, secret managers (e.g., AWS Secrets Manager, Vault), or configuration files excluded from version control.
- Run automated scans to detect accidental exposure of keys in commits.
-
Rotate keys regularly.
- Replace keys on a fixed schedule (e.g., every 60–90 days).
- Rotate keys immediately if a team member leaves or roles change.
-
Revoke unused keys.
- Delete any keys that are no longer in use.
- Regularly audit all keys and confirm they still have a valid purpose.
- Dormant or forgotten keys are common attack vectors.
-
Monitor API key usage.
- Review usage logs regularly to spot unusual activity. Watch for requests from unexpected IP addresses, geographies, or times.
- Set up alerts for suspicious activity, like high request volumes or new patterns.
-
Store keys securely.
- Use secure vaults, password managers, or encrypted storage solutions.
- Never keep keys in plain text files or spreadsheets.
- Limit local storage of keys on developer machines whenever possible.
-
Act quickly on compromise.
- If you suspect a key has leaked, revoke it immediately.
- Generate a new key and update all affected systems without delay.
- Investigate the cause of the compromise and take steps to prevent recurrence.
See how to add first API key and migrate to the API key authentication.