Handling API Keys¶
If you are using a web service with API keys, there are a few things to keep in mind. The key to key storage is that the process must meet the following requirements:
- Not hard-coded into your code
- Not visible in version-control
- Convenient to use
- Convenient to change if needed
- Unique for different environments
Key Storage¶
Our recommended way of storing and using API is within .env (dotenv) files.
A .env file is a simple text file that stores key-value pairs that set local environment variables. Its contents would look something like the following:
For instance, if your API key for OpenAI is sk-AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz, you would put the following in your .env file.
- Ensure .envis added to your.gitignorefile. The.envshould not be published in a remote repository; it should be for your eyes only.
- Store the .envfile in the root directory for your project.
- Backup the .envor key in a secure location. A free personal account with Bitwarden is an excellent option for this.
- If you notice the key or the .envfile has been published somewhere public for any length of time, it must be changed immediately.
Note
The .env file is a simple text file, so you can use any text editor to create and edit it.
Key Usage¶
If you are using Python, the dotenv package will enable to use this approach. First, install with pip or conda. In your work, the following will get you access to your API key as a Python variable RESOURCE_API_KEY (you may name it whatever you like; the Python variable may be different from the environment variable):
Keys for a Shared Resource¶
If you are part of a group with access to the same API:
- Create a unique API key for each application you use and for each environment you work in.
- Avoid sharing API keys with other users or between different applications/scripts.