Your API Keys Are Valuable. Protect Them.

LLM API keys are bearer tokens. Anyone with your key can:

• Use your quota
• Run up your bill
• Access your data through the API

API key security isn’t optional.

How Keys Get Exposed

Hardcoded in source:

# Don't do this
api_key = "sk-abc123..."

Committed to git: Even if removed later, it’s in history.

In client-side code: Browser JavaScript = public.

Shared via chat/email: Screenshots, copy-paste accidents.

In logs: Debug logging that includes requests.

In notebooks: Jupyter notebooks committed with outputs.

The Consequences

Financial: Attackers use your quota, you pay the bill.

Data access: Depending on the service, keys may grant data access.

Reputation: Your key used for abuse reflects on you.

Account termination: Provider may terminate for key misuse.

Key Management Best Practices

Never hardcode keys: Always use environment variables or secrets management.

Use secrets management:

• HashiCorp Vault
• AWS Secrets Manager
• Azure Key Vault
• GCP Secret Manager

Rotate regularly: Change keys periodically and after any suspected exposure.

Scope minimally: Use the least-privileged key for each application.

Monitor usage: Track API usage for anomalies.

Environment Variables

The minimum viable approach:

# Set in environment
export OPENAI_API_KEY="sk-..."

# Use in code
import os
api_key = os.environ.get("OPENAI_API_KEY")

Better than hardcoding, but:

• Still visible in process list
• Environment can be logged
• Doesn’t work for all deployment models

Secrets Management

Production approach:

# Fetch from secrets manager
from aws_secrets import get_secret
api_key = get_secret("openai-api-key")

Benefits:

• Centralized management
• Access logging
• Rotation support
• Integration with deployment

In Calliope

Calliope handles API key security:

Centralized management: Keys stored in secrets management, not in code.

Per-user/team scoping: Different keys for different contexts.

Usage tracking: See which keys are used where.

Rotation support: Update keys without code changes.

No client exposure: Keys stay server-side.

Pre-Commit Checks

Prevent accidental commits:

git-secrets:

git secrets --install
git secrets --register-aws

detect-secrets:

detect-secrets scan

Pre-commit hooks: Block commits containing key patterns.

Scanning for Exposed Keys

If you suspect exposure:

Check git history:

git log -p | grep -i "api_key\|secret\|password"

Scan repositories: Tools like trufflehog, gitleaks.

Check public resources: Search for your key patterns online.

If a Key Is Exposed

Immediate steps:

1. Revoke the key immediately
2. Generate new key
3. Update all systems using the old key
4. Audit usage for unauthorized activity
5. Clean history (git filter-branch or BFG)
6. Review processes to prevent recurrence

The API Key Security Checklist

• No hardcoded keys in source code
• Keys in environment variables or secrets management
• Pre-commit hooks to catch key commits
• Regular key rotation scheduled
• Usage monitoring enabled
• Incident response plan for exposure
• Different keys for dev/staging/prod

Protect your keys. Protect your wallet.

Manage API keys securely with Calliope →