API Keys Explained: What They Are and How to Keep Them Safe
By The IT Hustle Team
This article was generated with AI assistance and reviewed by our team for accuracy and quality. All technical information and examples have been verified.
In 2024, a developer accidentally pushed an AWS API key to a public GitHub repo. Within 4 minutes — not hours, minutes — bots had found it and spun up $50,000 worth of cryptocurrency mining instances on his account.
API keys are the passwords of the internet. And unlike passwords, people accidentally publish them in code, screenshots, and Slack messages every single day.
Here's what they are, why they exist, and how to not be the person who costs their company $50K on a Tuesday.
What Is an API Key?
An API key is a unique string of characters that identifies your application to a service. When you use Google Maps in your app, Stripe for payments, or OpenAI for AI — each one gives you an API key so they know who's making the request and how much to charge you.
sk_test_4eC39HqLyjWDarjtT1zdp7dc
AKIAIOSFODNN7EXAMPLE
AIzaSyD-9tSrke72PouQMnMX-a7rWEbA8o_KQXk
sk_ = Stripe, AKIA = AWS, AIza = Google. Prefixes tell you what service.
API Key vs. Password vs. Token
| Type | Identifies | Expires? | Used By |
|---|---|---|---|
| API Key | Your application | Usually no | Server-to-server |
| Password | A human user | Usually no | Human login |
| OAuth Token | A user's session | Yes (hours/days) | Delegated access |
| JWT | A verified identity | Yes (minutes/hours) | Stateless auth |
The 5 Rules of API Key Safety
1. Never Hardcode API Keys in Your Code
const stripe = new Stripe("sk_live_abc123");
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
2. Use .env Files and .gitignore
Store keys in .env.local and make sure .env*.local is in your .gitignore. Read our full guide: Environment Variables Explained Like You're 5.
3. Use Different Keys for Development and Production
Most services give you separate test and live keys (Stripe: sk_test_ vs sk_live_). Use test keys locally. If your test key leaks, no real money is at risk.
4. Restrict Key Permissions
Most services let you limit what an API key can do. If your app only reads data, create a read-only key. If it only needs one endpoint, restrict to that endpoint. The principle: minimum privilege, maximum safety.
5. Rotate Keys If Compromised
If a key is exposed — even briefly — assume it's compromised. Go to the service dashboard, generate a new key, update your environment variables, and revoke the old key. Do this immediately, not "after the sprint."
Where API Keys Go Wrong
- Committed to Git. Even if you delete the commit later, the key exists in git history. Bots scrape GitHub continuously.
- Shared in Slack/email. These channels aren't encrypted end-to-end. Use a password manager or secrets vault.
- Visible in screenshots. Developers share terminal screenshots with API keys visible. Crop or blur.
- Embedded in frontend code. Any key in client-side JavaScript is visible to anyone who opens DevTools. Only put publishable keys (like Stripe's
pk_) in the frontend.
The Bottom Line
API keys are simple: they identify your app to a service. The hard part is keeping them secret. Use environment variables, never commit them to git, restrict permissions, and rotate immediately if exposed. The 4-minute horror story doesn't have to be yours.
Need to generate strong API keys or secrets? Use our free Password Generator. Setting up environment variables? Read Environment Variables Explained Like You're 5.
We build free developer tools and write about AI, automation, and developer productivity. 30 tools, 33 articles, and an AI Prompt Engine — all built to help workers navigate the AI era. Published by Salty Rantz LLC.
The IT Hustle Weekly
What changed in AI this week and what it means for your job. Free tools, honest reviews, zero spam.
Generate Your Own Anti-Hallucination Prompts
Our AI Prompt Engine uses patent-pending technology to generate prompts with built-in verification and contradiction testing.
Try 3 Free Generations →