All contentArticle
Using API keys safely
Server-side storage, scope reduction, rotation and incident response basics.
An API key is the identity of an integration. It must not appear in source repositories, browsers, support messages or logs.
Apply least privilege
Separate keys by environment and integration. Define domain, IP, source and usage policies as narrowly as possible.
Design rotation before an incident
Document how to create a new key, move traffic and revoke the previous key. Assign ownership and response time for suspected exposure.
The raw key should be shown only at creation; use a safe identifier such as the final characters afterward.