SecOps
How do you secure API keys in production?
Store API keys in a secrets manager (HashiCorp Vault, AWS Secrets Manager, Doppler) and inject them as environment variables at runtime — never hardcode them in source code or config files. Rotate keys on a regular schedule (90 days minimum) and implement per-service keys with least-privilege scoping so a compromised key limits blast radius.
Key Considerations
- Scan repos for leaked secrets using automated tools (GitGuardian, truffleHog, GitHub secret scanning) in CI/CD
- Use short-lived tokens instead of long-lived API keys wherever the service supports it (OAuth tokens, AWS STS)
- Restrict API keys by IP address, referrer, or scope when the provider allows it — an unrestricted key is a liability
- Log all API key usage and set up alerts for anomalous patterns (unusual IPs, volume spikes, off-hours access)
- Have a documented key rotation runbook so rotating a compromised key takes minutes, not hours