
· · Daniel A
How to Securely Store API Keys and Secrets
Best practices for storing API keys, tokens, and secrets safely.
Let's be honest: we've all stored API keys in a notes.txt file on our desktop at some point.
Or worse: committed them to a public GitHub repo. Or pasted them in Slack. Or emailed them to ourselves. Every developer has done something like this. And every time, we knew it was wrong.
Here's how to do it right.
Never Do These Things
- Commit API keys to version control
- Store keys in unencrypted text files
- Send keys via email or Slack
- Paste keys directly in code
- Share keys in screenshots or screen recordings
The Real Risks
API keys leaked to public repos get found within minutes. Bots constantly scan GitHub for exposed credentials. Once found, they're used for cryptocurrency mining, spam campaigns, or sold on dark web markets.
The cost can be devastating. AWS keys can rack up $50,000+ in charges overnight. Stripe keys can process fraudulent transactions. OpenAI keys can burn through your credits in hours.
The Right Approaches
For Production: Use a Secrets Manager
AWS Secrets Manager, HashiCorp Vault, or your cloud provider's equivalent. These are designed specifically for this purpose. Secrets are encrypted at rest, access is logged, and rotation is automated.
For Development: Use Environment Variables
Store secrets in a .env file that's gitignored. Load them at runtime. Never commit them. For sharing with teammates, use a secure channel and have everyone maintain their own .env file.
.gitignore Essentials
For Personal Reference: Use an Encrypted Notes App
You still need quick access to keys for personal projects, testing, and reference. The solution: an encrypted personal knowledge base.
This is exactly why we built SimplyBoard. Store your API keys, tokens, and credentials with client-side encryption. Search instantly when you need them. Access from any device. Sleep well knowing they're not in plaintext anywhere.
Why SimplyBoard for API Keys
- Client-side AES-256 encryption
- Instant search across all your keys
- Access from any device
- Offline support for when you're on a plane
- We can't see your keys even if we wanted to
Key Rotation
Rotate your keys regularly. If a key has been exposed (or you suspect it might have been), rotate immediately. Most services let you generate new keys without downtime.
Good secrets management isn't about paranoia. It's about reducing the blast radius when (not if) something goes wrong.
Quick Checklist
- Production secrets in a proper secrets manager ✓
- Development secrets in .env files (gitignored) ✓
- Personal reference keys in an encrypted notes app ✓
- Regular key rotation scheduled ✓
- No secrets in code, logs, or version control ✓
· The SimplyBoard Team