Best Practices for Securing Your API Keys
API keys are the keys to your kingdom. Here are our top recommendations for keeping them safe.
API keys grant access to powerful (and expensive) services. A leaked OpenAI key can result in thousands of dollars in fraudulent charges. Here's how to keep your keys safe.
The Threat Landscape
API keys get exposed in several ways:
Git commits: Accidentally committing .env files or hardcoded keys
Client-side code: Embedding keys in JavaScript that runs in browsers
Logs: Keys appearing in error messages or debug output
Screenshots: Sharing terminal output or dashboard screenshots
Shared credentials: Passing keys through Slack, email, or docs
Principle of Least Privilege
Not every key needs full access. When creating API keys:
Use Scoped Tokens
IBYOK access tokens support scopes:
• `keys:read` - Retrieve key values
• `usage:read` - View usage statistics
Only grant the scopes your application actually needs.
Separate Keys by Environment
Don't use your production OpenAI key in development. Create separate keys:
• Lower rate limits for dev keys
• Easier to rotate if compromised
• Clear audit trail per environment
Rotate Regularly
Set a rotation schedule. When you rotate:
1. Create the new key
2. Update IBYOK with the new value
3. Verify your applications work
4. Delete the old key from the provider
Secure Storage
Never Commit Keys
Add these to your .gitignore:
.env
.env.local
.env.*.local
*.pem
credentials.json
Use Secret Management
Store your IBYOK access token (which retrieves your other keys) in:
Local development: Environment variables
CI/CD: GitHub Secrets, GitLab CI Variables
Production: AWS Secrets Manager, HashiCorp Vault
Encrypt at Rest
IBYOK encrypts all stored keys using AWS KMS. Your keys are never stored in plain text.
Access Control
Audit Access
IBYOK logs every key retrieval. Review these logs for:
• Unexpected access patterns
• Access from new locations
• Failed authentication attempts
Use Short-Lived Tokens
When generating access tokens, set appropriate expiration:
• CI/CD pipelines: Short expiration (7-30 days)
• Production services: Longer expiration with monitoring
Incident Response
If you suspect a key is compromised:
1. **Rotate immediately** - Don't wait to investigate
2. **Check usage** - Review provider dashboards for unusual activity
3. **Audit access logs** - Determine how it was exposed
4. **Fix the root cause** - Update processes to prevent recurrence
Security Checklist
• [ ] Keys stored in IBYOK, not in code
• [ ] .gitignore includes all secret files
• [ ] Access tokens have minimal required scopes
• [ ] Token expiration is set appropriately
• [ ] Audit logs are reviewed regularly
• [ ] Incident response plan documented
• [ ] Team trained on key security
Security is a practice, not a product. IBYOK gives you the tools, but following these practices is what keeps your keys safe.