Skip to content

Handling API Keys

If you are using a web service with API keys, there are a few things to keep in mind. The key to key storage is that the process must meet the following requirements:

  • Not hard-coded into your code
  • Not visible in version-control
  • Convenient to use
  • Convenient to change if needed
  • Unique for different environments

Key Storage

Our recommended way of storing and using API is within .env (dotenv) files.

A .env file is a simple text file that stores key-value pairs that set local environment variables. Its contents would look something like the following: 

RESOURCE_API_KEY=your_api_key
For instance, if your API key for OpenAI is sk-AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz, you would put the following in your .env file. 
OPENAI_API_KEY=sk-AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz

  • Ensure .env is added to your .gitignore file. The .env should not be published in a remote repository; it should be for your eyes only.
  • Store the .env file in the root directory for your project.
  • Backup the .env or key in a secure location. A free personal account with Bitwarden is an excellent option for this.
  • If you notice the key or the .env file has been published somewhere public for any length of time, it must be changed immediately.

Note

The .env file is a simple text file, so you can use any text editor to create and edit it.

Key Usage

If you are using Python, the dotenv package will enable to use this approach. First, install with pip or conda. In your work, the following will get you access to your API key as a Python variable RESOURCE_API_KEY (you may name it whatever you like; the Python variable may be different from the environment variable): 

1
2
3
4
5
6
import os
from dotenv import load_dotenv

load_dotenv("relative/path/to/your/.env")

RESOURCE_API_KEY = os.getenv("RESOURCE_API_KEY")

Keys for a Shared Resource

If you are part of a group with access to the same API:

  • Create a unique API key for each application you use and for each environment you work in.
  • Avoid sharing API keys with other users or between different applications/scripts.