What should I do if I accidentally hardcoded an API key in source code?

Immediately revoke the key and issue a new one. Since it remains in Git history, use git filter-branch or BFG Repo-Cleaner to rewrite history. Manage the new key via environment variables.

How often should I rotate API keys?

Critical production keys should be rotated within 90 days, development keys within 180 days. Use AWS Secrets Manager or similar tools to automate rotation and reduce manual management risk.

What if I need to use an API key in frontend code?

Never use keys with write access or sensitive data access in frontend code. Relay requests through a backend API instead. Even for public API keys, set HTTP referrer restrictions and usage limits.

API Key Security: Best Practices for Developers

About 8 min read

API keys and secrets are the credentials that grant programmatic access to services and data. A leaked API key can lead to unauthorized access, data breaches, and unexpected charges. This article covers the risks of API key exposure and practical methods for secure management.

What Should You Do First?

Start by auditing your current codebase for hardcoded secrets, then migrate them to environment variables or a secret manager.

Why API Key Leaks Are Dangerous

Unlike passwords that protect individual user accounts, API keys often grant broad access to entire services, databases, or cloud infrastructure. A single leaked key can create a critical vulnerability that compromises an entire system.

Automated bots continuously scan public repositories for exposed credentials. Once a key is found, attackers can exploit it within minutes to spin up cryptocurrency miners, exfiltrate data, or launch attacks on other systems. In recent years, supply chain attacks that inject malicious code into legitimate libraries have also become a growing vector for API key theft.

Common Causes of API Key Exposure

Hardcoding in Source Code

Embedding API keys directly in source code is the most common cause of leaks. Even if the repository is private, keys in code can be exposed through code sharing, screenshots, or repository access changes.

Committing .env Files

Environment files containing secrets are sometimes accidentally committed when .gitignore is not properly configured. Always verify that sensitive files are excluded from version control.

For building a secure development environment, API security and credential management books (Amazon) are helpful.

Client-Side Exposure

API keys embedded in frontend JavaScript are visible to anyone who inspects the page source. Keys that grant write access or access to sensitive data must never be used in client-side code. An exposed key can serve as a backdoor into your system for attackers.

Best Practices for Secure Key Management

Environment Variables

Store API keys in environment variables rather than in code. Use .env files for local development and configure environment variables through your deployment platform for production.

Secret Managers

For production environments, use dedicated secret management services like AWS Secrets Manager, HashiCorp Vault, or Google Secret Manager. These provide encryption at rest, access control, and automatic rotation.

Key Rotation

Regularly rotate API keys to limit the window of exposure if a key is compromised. Automate the rotation process to reduce human error and ensure consistency.

Least Privilege Principle

Grant API keys only the minimum permissions needed for their specific use case. Avoid using master keys or admin-level credentials in application code. Use AWS IAM policies or Google Cloud IAM roles to implement fine-grained access control. The principle of least privilege is the most fundamental security principle in API key management.

To learn more about permission design and access control implementation patterns, IAM and access control design books (Amazon) are helpful.

Generating Strong API Keys with Passtsuku.com

When you need to generate custom API keys or secrets, Passtsuku.com provides cryptographically secure random strings. Set the length to 32 characters or more with all character types enabled for maximum entropy.

For generating multiple keys at once, use the bulk generation feature. Each key will be unique and cryptographically random, suitable for different services and environments.

Detecting Leaked Keys

Use tools like git-secrets, truffleHog, or GitHub's built-in secret scanning to detect accidentally committed credentials. Set up pre-commit hooks to prevent secrets from being committed in the first place.

Take Action Now

Verify that .gitignore includes .env, .env.local, and .env.production, and add them if missing
Search for hardcoded API keys in source code and migrate any found to environment variables
Generate random strings of 32+ characters with Passtsuku.com for use as custom API keys or secrets
Enable GitHub's secret scanning feature to automatically detect leaks
Set up a rotation schedule of 90 days or less for critical production keys

Frequently Asked Questions

What should I do if I accidentally hardcoded an API key in source code?: Immediately revoke the key and issue a new one. Since it remains in Git history, use git filter-branch or BFG Repo-Cleaner to rewrite history. Manage the new key via environment variables.
How often should I rotate API keys?: Critical production keys should be rotated within 90 days, development keys within 180 days. Use AWS Secrets Manager or similar tools to automate rotation and reduce manual management risk.
What if I need to use an API key in frontend code?: Never use keys with write access or sensitive data access in frontend code. Relay requests through a backend API instead. Even for public API keys, set HTTP referrer restrictions and usage limits.

Was this article helpful?

Generate passwords →