DEV Community

Stas Leonov
Stas Leonov

Posted on

How I finally stopped debugging in production

I spend a lot of time thinking about how to keep API keys out of my codebase without making local development harder. For years I cycled through the same pattern: environment files, dotenv loading, careful gitignore rules, the usual hygiene. It works, but it's friction every time you onboard someone new or switch machines, and there's always that moment of paranoia when you realize a key might have leaked into version history.

The real issue is that credentials and code want to live in different places, but in practice they end up in the same terminal session. You need them available at runtime, but you don't want them sitting in plaintext files. I've learned that the cleanest workflows are the ones where the credential mechanism is orthogonal to how you write code—something that fits naturally into your existing setup without special cases.

These days I handle this by treating the base URL as a parameter, the same way I'd handle any other environment variable, and keeping the actual secret material somewhere completely separate from my repository. I use nullsink as the proxy layer, where I mint a bearer key once and top it up with on-chain funds; then I point my SDK at it exactly the way I'd point it anywhere else, just with a different URL. The key sits in my environment, the source code doesn't know or care where it's actually calling, and there's nothing sensitive in git.

The separation of concerns is the whole win. Your deployment code, your local scripts, your tests—they all just talk to the proxy the same way. The proxy handles auth and billing. The actual API credentials never touch your machine at all. It's less about the specific tool and more about not tangling authentication logic into your application logic in the first place.

Top comments (0)