Skip to main content
BuySecureVPN
Security Guide

API Key Security for Developers: Stop Leaking Secrets (2026)

How to manage API keys, tokens, and secrets securely. Environment variables, secret managers, .gitignore, and rotation practices.

Sarah Chen — Lead Security Editor
Sarah Chen·CISSPCompTIA Security+·Lead Security Editor
Updated
Developer security and API keysSave
Sarah Chen — Lead Security Editor
Sarah ChenCISSPCompTIA Security+

Lead Security Editor · San Francisco, CA

Updated Editorial policy
Editor's picks

Our Recommended VPNs

Chosen after real-world testing across speed, privacy, and streaming. Each ranking is independent — we buy every VPN at retail and test it ourselves.

EDITOR'S PICK
NordVPN logo
Best Overall
NordVPN
4.8/ 5

Fastest speeds, audited no-logs, 6000+ servers

Audited no-logs policyThreat Protection blocks malware10 devices per account30-day money-back guarantee
Save 74%
was $12.99/mo
$3.39/mo
Get NordVPN
30-day money-back guarantee
Read full NordVPN review
Surfshark logo
Best for Unlimited Devices
Surfshark
4.6/ 5

Unlimited devices, CleanWeb blocker, 100+ countries

Unlimited simultaneous devicesCleanWeb ad & malware blockerRAM-only server network30-day money-back guarantee
Save 87%
was $15.45/mo
$1.99/mo
Get Surfshark
30-day money-back guarantee
Read full Surfshark review
Proton VPN logo
Best for Privacy
Proton VPN
4.5/ 5

Swiss privacy laws, open-source, free tier

Swiss jurisdiction (no data laws)Open-source and auditedSecure Core multi-hopFree tier available forever
50% off
was $9.99/mo
$4.99/mo
Get Proton VPN
30-day money-back guarantee
Read full Proton VPN review
FastestVPN logo
Best Budget
FastestVPN
4.2/ 5

Lifetime plans, 10 devices, ad blocker

Lifetime deal available10 devices per accountBuilt-in ad blockerNo-logs policy
Save 89%
was $10/mo
$1.11/mo
Get FastestVPN
30-day money-back guarantee
Read full FastestVPN review

We earn a commission when you click “Get” buttons, at no extra cost to you. Read our affiliate disclosure

2 min read

The $20 Billion Problem

Leaked API keys and secrets are one of the most common and costly security failures. GitGuardian scans found over 10 million secrets exposed in public GitHub repositories in 2025. A single leaked AWS key can result in thousands of dollars in unauthorized charges within hours.

If you're a developer working remotely, your API keys are even more at risk — you're working on shared networks, personal devices, and multiple machines.

The Cardinal Rules

  1. Never commit secrets to git. Not even "temporarily"
  2. Never hard-code secrets in source code. Not even for testing
  3. Never share secrets via Slack, email, or chat. Use a secrets manager
  4. Always use environment variables for configuration
  5. Rotate keys immediately if you suspect exposure

Setting Up .gitignore Correctly

Before you write any code, ensure your .gitignore blocks all secret files:

code
# Environment files
.env
.env.local
.env.*.local
.env.production
.env.staging

# Cloud provider credentials
*.pem
*.key
credentials.json
serviceAccountKey.json

# IDE-specific
.idea/
.vscode/settings.json

Using Environment Variables

Instead of:

code
// NEVER DO THIS
const API_KEY = "sk-abc123...";

Do this:

code
// CORRECT
const API_KEY = process.env.API_KEY;

And store the actual value in .env:

code
API_KEY=sk-abc123...

Secrets Managers for Teams

For teams, environment variables alone aren't enough. Use a secrets manager:

| Tool | Type | Best For | Price | |------|------|----------|-------| | GitHub Secrets | Built-in | GitHub Actions CI/CD | Free | | Doppler | SaaS | Multi-environment sync | Free tier | | HashiCorp Vault | Self-hosted/Cloud | Enterprise | Free (OSS) | | AWS Secrets Manager | Cloud | AWS workloads | $0.40/secret/month | | 1Password Secrets Automation | SaaS | Teams using 1Password | Included in business plan |

GitHub Secret Scanning

GitHub automatically scans for known secret patterns (API keys, tokens, passwords) in your repositories. Enable push protection to block commits containing secrets:

  1. Repository Settings > Security > Code security and analysis
  2. Enable "Secret scanning"
  3. Enable "Push protection" — this prevents commits with detected secrets from being pushed

What to Do If a Secret Is Leaked

  1. Revoke the key immediately — don't just remove it from the code
  2. Generate a new key from the provider's dashboard
  3. Update all services using the old key
  4. Check for unauthorized usage in the provider's logs
  5. Clean git history using git filter-repo (not just removing from current commit)
  6. Audit access logs for suspicious activity during the exposure window

Remember: removing a secret from the latest commit does NOT remove it from git history. The old commit still contains it.

How We Verified

Practices based on OWASP API Security Top 10, GitHub security documentation, and GitGuardian research. Tools verified with current versions. April 2026.

Found this helpful?

Share it with someone who needs it

XFacebookLinkedInRedditPinterestWhatsAppEmail

Continue learning

Related Guides

security

How to Share Passwords Safely: Stop Using Slack and Email (2026)

Secure methods for sharing passwords, API keys, and credentials with teammates. Password manager sharing, Bitwarden Send, and one-time links.

Sarah ChenSarah Chen
security

Device Encryption Guide: Protect Your Data If Your Laptop Is Lost (2026)

How to enable full-disk encryption on Windows, Mac, iOS, and Android. Your data stays secure even if your device is stolen.

Sarah ChenSarah Chen
security

Endpoint Security for Remote Workers: Beyond Antivirus (2026)

Your devices are endpoints in the security chain. Modern endpoint protection goes beyond antivirus — here's what you need in 2026.

Sarah ChenSarah Chen

Was this guide helpful?

What's next

Keep exploring

Best VPN 2026
Our top picks
Password Manager
Secure accounts
Security Checklist
45-item audit

Sources & Citations

  1. 1GitHub: Secret scanning — docs.github.com
  2. 2OWASP: API Security Top 10
  3. 3GitGuardian: State of Secrets Sprawl 2026