Ben Writing

Simple Rules for Protecting API Keys

API keys are critical. They unlock services, connect systems, and often guard sensitive data. But if you handle them poorly, they become your biggest security risk. Here is how to manage API keys without screwing it up.

Don’t Ever Store API Keys in Config Files Even Locally

This is basic, yet I see it all the time. Developers stash API keys in .env files or config files on their machines and treat it like a secret vault. It is not. One accidental commit, one public repo push, one careless screenshot, and your keys are out there.

You cannot afford this risk. Keys in config files, even local ones, are a ticking time bomb. Do not do it. No exceptions.

Store API Keys in Cloud Secret Managers with Encryption and Access Controls

The solution is simple: use a dedicated secret manager.

Options include AWS Secrets Manager, Google Secret Manager, HashiCorp Vault, or tools like Doppler and Infisical if you are in startup mode.

These services keep your keys encrypted and give you granular control over who and what can access them. You get audit logs, versioning, and the ability to rotate keys without downtime or code changes.

Do not reinvent the wheel here. Use what is proven.

Developers Should Never Need to Know the API Keys

A solid security mindset means zero trust, even inside your own team.

Set up your environment so developers never handle the keys directly. Inject secrets into runtime environments automatically, or use a proxy layer that hides keys behind service calls.

A proxy layer acts as an intermediary between your application code and the external API. Instead of embedding API keys in the client or backend code directly, the app calls your proxy service. The proxy then handles authentication using the secret API key and forwards the request to the target service.

This protects your keys and lets your developers focus on building features, not managing secrets.

Use Gitleaks to Catch Leaked Keys Early

Humans make mistakes. Someone will accidentally commit a key at some point. You must prepare for it.

Gitleaks and pre-commit are your friends here. Integrate them into your workflow.
Gitleaks scans commits and pull requests for secrets and keys and stops merges if leaks are detected.
pre-commit lets you run Gitleaks (and other checks) automatically before every commit, catching leaks even earlier in the process. Gitleaks scans commits and pull requests for secrets and keys and stops merges if leaks are detected.

It is highly configurable. You can customize rules to detect your internal key formats and patterns.

Catching leaks before they reach production saves you headaches, potential breaches, and expensive key rotations.

Final Thoughts

Managing API keys well is not optional anymore. It is a necessity.

Here is the short checklist:

  • Never store API keys in config files, not even local ones.
  • Use cloud secret managers with encryption and role-based access.
  • Keep keys away from developers, inject them automatically or hide behind a proxy.
  • Run secret scanning in your CI pipeline using tools like Gitleaks.

If you manage teams, enforce these rules with documentation, tooling, and training. Security is not a checkbox. It is a discipline.

Ignore it and pay the price.