How You Can (And Why You Should) Secure Your API Keys

Author:Murphy  |  View: 29716  |  Time: 2025-03-23 19:29:31
Photo by regularguy.eth on Unsplash

API keys play the important role of identifying the applications making requests. They are a security measure that ensures that unauthenticated people can't access information on a given server. However, without sufficient protection of these keys, it is easy for external parties to acquire these keys and cause some real damage.

To avoid this outcome, businesses may employ IT administrators, who are responsible for storing, managing, and rotating API keys for multiple people and projects using sophisticated tools (e.g., AWS Secrets Manager).

However, due to the severe consequences of sharing/leaking API keys, the burden of keeping them secure shouldn't fall on the administrators alone; every team member should understand the importance of keeping their API keys secure.

Here, we delve into the damage that can be done by leaking API keys and explore simple best practices for protecting them.

Consequences of Sharing API Keys

Failing to secure API keys is harmful for various reasons.

Firstly, it leads to people or businesses incurring costs for API calls that they haven't even used. A notable victim is DevFactor founder Andrew Hoffman, who received a $2,375 bill after accidentally posting his AWS keys on GitHub! Unfortunately, there are bots crawling across public spaces, so revealing API keys for even a short duration of time can be a costly mistake.

Secondly, attackers that acquire such keys can access and leverage any of the information accessible by the API. This can be seen in the rise in cases of cybercriminals that use leaked cryptocurrency exchange API keys to steal cryptocurrencies from their victims' accounts.

Finally, it increases the likelihood of apps being subject to malicious activity such as DDoS attacks, where attackers crash servers by flooding them with fake traffic.

Fortunately, these undesirable outcomes can be prevented with some care and caution, which can be exercised using the following tips.

Tip 1 – Avoid Storing API Keys Directly in Code

The easiest way to store API keys would be to embed them directly into the program that makes the API calls, but this allows readers to instantly attain the same access rights for the API in question.

A preferable alternative would be to store them as environmental variables. Environmental variables are essentially objects that can be defined in the operating system outside of the application.

On Windows, one can create a new environmental variable by opening the "Settings" window, selecting "System", "Advanced system settings", "Environment Variables", and then clicking on "New".

Create a New Variable (Created By Author)

Another option would be to create an environmental variable using code. For example, here's how one could create an environmental variable in Python with the os library.

When the environmental variable is stored, it can be easily accessed via code.

Code Output (Created By Author)

Tip 2 – Avoid uploading API Keys to Code Repositories

When uploading a project into a repository, it is important to ensure that all files containing API keys will not be included in the upload.

The simplest way to do so is by using a .gitignore file. A .gitignore file tells git which files should be intentionally ignored when pushing projects to a repository.

To create a .gitignore file, simply enter the following command in git bash:

touch .gitignore

Alternatively, one can create a text file and name it ".gitignore".

To omit the files with API keys, simply enter their file paths into the .gitignore file.

Tip 3 – Rotate API Keys

Ultimately, even seasoned professionals can get careless and expose API keys. To rectify such a mistake, one can rotate API keys (i.e., replacing the old key with a newly generated one) when they are compromised (or suspected to be compromised).

Rotating API keys mitigates the risk of exposing keys to other parties. As a safety measure, some teams switch their keys periodically (e.g., every 90 days) even when there has been no breach. The best approach for rotating API keys depends on the API in question, so there isn't a one-size-fits-all way to achieve this.

Note: When rotating a key, do ensure that the application will make API calls with the new key as opposed to the outdated one.

Tip 4 – Delete Unneeded API Keys

Finally, when certain API keys are no longer needed, it is best to simply delete them altogether.

This step should be completed only after verifying that the API key is not being utilized by the app (i.e., still in production).

Conclusion

Photo by Prateek Katyal on Unsplash

Given the importance of API keys in projects, teams may comprise personnel that are responsible for managing API keys. However, leaks of API keys can be caused by novices and seasoned professionals alike.

Thus, every member should be aware of how easily API keys can be leaked, what methods can be used to prevent leakages, and what solutions can be used to rectify leakages.

Thank you for reading!

Tags: API Python

Comment

Recommend

  • 3 SQL Optimization Techniques That Can Instantly Boost Query Speed
  • How to Measure and Improve the Diversity of Forecasting Ensembles
  • The Pareto Principle in Data Engineering
  • Mastering AI Department Reorganizations: Lessons from the Trenches
  • Mastering data integration from SAP Systems with prompt engineering
  • Economics of Generative AI
  • How I Became a Data Scientist as an International Student with Broken English
  • Awesome Plotly with Code Series (Part 3): Highlighting Bars in the Long Tails
  • Type Hints in Python
  • How to Convert a Single HEX Color Code into a Monochrome Color Palette with Python
  • Custom Memory for ChatGPT API
  • How to use React to build Web Apps