Most developers don't think about API key security until something goes wrong. A surprise bill, a rate limit you didn't trigger, or worse — someone using your key to run inference on models you never touched.
Here's the uncomfortable truth: if you've ever committed a .env file to a public repo, pasted a key in a Slack channel, or shared it in a support ticket, your key is probably out there. GitHub scans for secrets, but it doesn't catch everything. And once a key is in a public commit history, even if you delete the repo, it's already been scraped.
The first thing to do is check if your key has been exposed. Search your GitHub repos for your key prefix. Most API providers use a prefix that identifies the service — OpenAI keys start with "sk-", Anthropic with "sk-ant-", DeepSeek with "sk-". Run a search across all your repos, including forks and gists.
If you find a match, rotate the key immediately. Don't just delete the file — the commit history still has it. Generate a new key and delete the old one from the provider's dashboard.
Beyond checking for leaks, here are some habits that help. Never hardcode keys in source code. Use environment variables or a secrets manager. If you're in a team, use a shared vault instead of passing keys around in chat. Set spending limits on your API accounts so a leaked key can't rack up a huge bill before you notice.
For teams managing multiple keys across multiple models, a gateway adds another layer of control. Instead of distributing individual provider keys to every developer, you give them one gateway key. If someone leaves the team or a key gets compromised, you only need to rotate one key instead of tracking down every place a provider key was used.
The worst feeling is finding out your key was leaked because of an unexpected bill. Check your repos today — takes five minutes and could save you a lot of trouble.
Top comments (0)