What are some best practices and recommendations on how to store and protect API keys?

Store API keys / secrets safely

  • Do not embed API keys / secrets directly in code.
  • Do not store API keys / secrets in files inside your application, including the application’s source tree
  • If you do accidentally commit an API key / secrets to version control, revoke it immediately and generate a new one.
  • Ensure API keys / secrets do not appear in URLs or anywhere that can be captured in web server logs.
  • Review your code carefully and ensure it doesn’t contain API keys / secrets or any other private information before publicly releasing it.
  • Put the configuration file containing the API keys / secrets in the revision control ignore (ex. .gitignore). This prevents committing them by mistake in the future.

Limit the usage of API keys / secrets

  • Restrict your API keys / secrets to be used by only the IP addresses, referrer URLs, and mobile apps that need them.
  • Don't share your API keys / secrets with different applications. If more than one application uses the same API, register each application to get a new set of API keys / secrets.

Update API keys / secrets

  • Delete unneeded API keys / secrets.
  • Update (Regenerate) your API keys / secrets periodically.


  1. Best practices for securely using API keys: https://support.google.com/cloud/answer/6310037?hl=en
  2. REST Security Cheat Sheet - OWASP: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet