If you've ever hardcoded an API key and pushed it to GitHub, you're not alone — and your key is already compromised.
API key security is one of those topics developers know they should care about but rarely prioritize until something goes wrong. Here's a practical checklist of the 5 most common mistakes, with real code examples and fixes.
Mistake 1: Hardcoding Keys in Source Code
This is the most common mistake, and it's catastrophic.
// NEVER do this
const response = await fetch('https://api.forgelab.africa/pdf/compress', {
headers: {
'Authorization': 'Bearer fl_live_abc123xyz456secret'
}
});
GitHub's secret scanning catches this quickly, but by then it's too late. Bots scrape GitHub continuously looking for exposed credentials.
The fix: Environment variables
// Node.js — safe approach
import dotenv from 'dotenv';
dotenv.config();
const API_KEY = process.env.FORGELAB_API_KEY;
if (!API_KEY) throw new Error('FORGELAB_API_KEY is not set');
const response = await fetch('https://api.forgelab.africa/pdf/compress', {
headers: { 'Authorization': `Bearer ${API_KEY}` }
});
# Python — safe approach
import os
api_key = os.environ.get('FORGELAB_API_KEY')
if not api_key:
raise ValueError('FORGELAB_API_KEY is not set')
Mistake 2: Committing .env Files
You put the key in .env — good. Then you committed .env to git — not good.
The fix:
# Add to .gitignore before first commit
echo ".env" >> .gitignore
echo ".env.local" >> .gitignore
echo ".env.production" >> .gitignore
Commit an .env.example with placeholder values instead:
# .env.example (safe to commit)
FORGELAB_API_KEY=your_api_key_here
DATABASE_URL=your_database_url_here
If you already committed .env, rotating the key is mandatory — even if you deleted it in the next commit. Git history is permanent.
Mistake 3: Using the Same Key Everywhere
One API key for local, staging, and production is a single point of failure. One leak exposes everything.
The fix: One key per environment
Most API platforms (including Forgelab) let you create multiple API keys:
-
fl_test_...for development and testing -
fl_live_...for production only
If your test key leaks, rotate it — production is unaffected. This also means rate limit quotas are isolated so a runaway test script won't eat your production quota.
Mistake 4: No Key Rotation Plan
"I'll rotate it when something goes wrong" is how you end up rotating keys at 2am during an incident.
The fix: Proactive rotation
- Rotate all API keys every 90 days
- Rotate immediately when a developer leaves the team
- Rotate immediately after any suspected exposure
- Never share keys in Slack, email, or chat
# Test the new key before deleting the old one
curl -X POST https://api.forgelab.africa/pdf/compress \
-H "Authorization: Bearer $NEW_FORGELAB_KEY" \
-F "file=@test.pdf" \
-o test-output.pdf
# Only delete old key after confirming new one works
Mistake 5: Not Monitoring Key Usage
If someone steals your key and uses it slowly, you might not notice for weeks — until an unexpected bill arrives.
The fix: Monitor API usage
- Check your API dashboard weekly for unusual spikes
- Set up billing alerts before hitting tier limits
- Review rate limit headers in responses
Forgelab's API returns clear usage headers on every response:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 87
X-RateLimit-Reset: 1716192000
Log these in your application. A sudden drop from 87 to 3 remaining between requests is a red flag worth investigating.
Quick Security Checklist
Before pushing any code that uses an API key:
- [ ] Key is in an environment variable, not in source code
- [ ]
.envis in.gitignore - [ ]
.env.exampleexists with placeholder values - [ ] Separate keys for dev and production
- [ ] Know how to rotate the key in under 5 minutes
Forgelab API
If you're using the Forgelab PDF API or Image API, you can generate and manage API keys from your dashboard. The free tier includes 5 calls/month — no card required.
# Compress a PDF with the Forgelab API
curl -X POST https://api.forgelab.africa/pdf/compress \
-H "Authorization: Bearer $FORGELAB_API_KEY" \
-F "file=@document.pdf" \
-o compressed.pdf
Any questions? info@forgelab.africa
Top comments (0)