Store your API keys

Learn how to store your API keys safely and securely and protect your systems and environment from security risks

Discover why you need to store your API keys securely. In this article, you’ll find our recommendations, the storage options you have, what you must look out for, and what may happen if you do not follow these best practices.

At the end of this guide, you should know where to store your API keys without worrying about them being compromised.

Prerequisites:

• You know what API keys are
• You understand permissions and roles
• You have access to your admin user or any other user with the api-keys.create permission

Read more about:

• Users and API keys
• Add an API key to your account
• Managing roles
• Regenerate API keys

Storing API keys

Whenever you create an API key, you are given its token. However, you only get this token once.

You are asked to secure the token somewhere safe because you cannot recover it if you lose it.

The best place to store an API key is in a secrets manager.

• Read more about regenerating API keys.

Faulty storage methods

Although convenient, please remember that secure storage does not mean keeping the API key in your private Slack channel.

Neither does it mean putting it in a plain text file on Google Drive.

And worst of all, it sure does not mean pushing it to your public code repository. When you place your API key in your source control system, it is out for everyone to see.

If you follow any of these unsafe storage methods, there’s a real chance that your API key gets into the wrong hands.

That would mean someone else has your information. And at worst, they might even delete all of it or take advantage of you.

The result? Your system is compromised, and any security you thought you had is gone.

Here’s what to do instead.

Storing API keys safely: best practices

Ideally, you want to use a tool where you can configure your environment secrets per environment.

There are a bunch of secret managers available. However, please make sure that the secret manager you choose is secure.

We highly recommend you to use Doppler. Through Doppler you can synchronize your environment variables across systems, environments, and staff.

Another good choice is Vault by Hashicorp. They promise secure and tight access control to tokens, passwords, and the like.

Using any of these will give you the peace of mind that your secrets are managed, and your systems are safe from security risks.

You should now know why and how to protect your API key tokens from malicious parties.