You probably have API keys scattered everywhere right now.
.env files. Notion docs. Slack messages. Maybe even a sticky note.
And honestly? Most developers do. But one mistake can expose
your entire app to the world. Here's what you should actually
be doing.
## 1. Never commit API keys to GitHub
This is the most common mistake. You push your code and
forget your .env file is included.
GitHub has bots that scan for exposed keys within seconds
of a push. By the time you notice, someone has already
grabbed it.
Fix: Add .env to your .gitignore immediately.
## 2. Never hardcode keys in your codebase
This one seems obvious but happens all the time, especially
when you're moving fast.
Hardcoded keys end up in version history forever β even
after you delete them.
Fix: Always use environment variables. No exceptions.
## 3. Separate dev and production keys
Your development keys and production keys should never
be the same.
If your dev environment gets compromised, your production
app stays safe.
Fix: Create separate keys for each environment in every
service you use.
## 4. Rotate your keys regularly
Keys are like passwords. The longer they stay the same,
the more risk you carry.
Rotate them every 90 days or immediately after:
- An employee leaves
- A key gets accidentally exposed
- You finish working with a contractor
## 5. Know where every key lives
If someone asked you right now where your OpenAI key is
stored β how long would it take you to answer?
If it's more than 5 seconds, you have a problem.
Fix: Keep all your keys in one organized, secure place.
## 6. Use the principle of least privilege
Every API key should only have the permissions it actually
needs. Nothing more.
If your key only needs read access β don't give it write
access too.
I learned most of this the hard way while working across
multiple projects with dozens of API keys scattered
everywhere.
That's why I built Keydock β a simple, secure vault to
store and manage all your API keys in one place π
Try it free at keydock.cloud
Top comments (0)