Skip to content

Why You Should Keep Your API Keys Secure (for Juniors)

  • #Articles
Read time: 23 minutes

As data scientists, we often work with APIs to access data, deploy models, or integrate services. APIs can be powerful, but they require authentication through API keys—secret tokens that give access to the API. Keeping these keys secure is critical to protecting your work and avoiding unintended consequences, such as exposing sensitive data or being held accountable for malicious activities.

Recently, I encountered an issue where I mistakenly uploaded an API key to GitHub. Even after I deleted the key, an experienced developer informed me that it was still accessible to users who had seen the earlier commit. I believe this is a common mistake for junior developers, but one that we should all aim to avoid. That’s why I decided to write this article—to share best practices for managing and securing API keys in your code.

Why Keeping API Keys Secure Is Important

  1. Security Risks: If you expose your API keys directly in your code and that code gets shared publicly (e.g., on GitHub), anyone who sees your code can use those keys. They can make requests on your behalf, which could lead to:
    • Unauthorized access to your services: Attackers could retrieve sensitive data or change configurations.
    • Usage abuse: You may face unexpected bills or service limits if someone abuses your keys by making too many API calls.
    • Reputation damage: If malicious actors use your API key for nefarious purposes, it could hurt your reputation or even have legal consequences.
  2. Good Practice in Production: In real-world data science projects, APIs are often used to access sensitive information, such as user data or financial records. Keeping your keys secure follows best practices that are essential when scaling your work from personal projects to production environments in a company.
  3. Maintainability: By externalizing your API keys, you make your code cleaner and more maintainable. For instance, if the keys need to be updated or changed, you won’t have to dig through your code—just update them in a centralized and secure location.

How to Keep Your API Keys Secure

The simplest and most common method for keeping API keys secure is to store them outside your code in environment variables. Below are the steps to achieve this using a .env file and Python.

Step-by-Step Instructions

1. Create a .env file

The .env file is a simple text file that holds your environment variables (such as API keys). It should be placed in the root directory of your project.

  • Create a file named .env in your project folder.
  • Inside the .env file, store your API keys like this:
OPENAI_API_KEY=your_openai_api_key_here
RAPIDAPI_KEY=your_rapidapi_key_here
2. Install python-dotenv library

To load the .env file into your Python code, you need a library called python-dotenv. It helps to easily load environment variables from the .env file.

pip install python-dotenv
3. Load Environment Variables in Your Python Code

Now, you can securely load the API keys from the .env file in your code. Here’s an example:

from dotenv import load_dotenv
import os

# Load environment variables from the .env file
load_dotenv()

# Retrieve API keys from environment variables
OPENAI_API_KEY = os.getenv('OPENAI_API_KEY')
RAPIDAPI_KEY = os.getenv('RAPIDAPI_KEY')

# Example of using the API keys in your code
print(f"Your OpenAI API Key: {OPENAI_API_KEY}")

With this approach, your API keys remain hidden from your codebase. Even if someone sees your code, they won't have access to the actual keys.

4. Secure Your .env File

To ensure that your .env file isn’t accidentally shared, add it to your .gitignore file (if you are using Git for version control). This ensures that the .env file will not be tracked by Git and uploaded to platforms like GitHub.

  • Step: Open (or create) a .gitignore file in your project directory and add the following line:
.env
5. Set Environment Variables Directly in Your System (Optional)

For more advanced use cases, such as when working in production environments, you can set environment variables directly in your operating system rather than using a .env file. This is especially common on cloud platforms (AWS, Azure) or when deploying containerized applications.

  • On Windows:
    1. Open Command Prompt or PowerShell.
    2. Use the command set to add environment variables:
set OPENAI_API_KEY=your_openai_api_key_here

These variables will be available to your Python script, and you can access them with os.getenv() just as with the .env file method.

Conclusion

Keeping your API keys secure is a fundamental skill every data scientist must master. By storing your keys in environment variables, you avoid exposing them to unintended viewers, protect yourself from security breaches, and follow best practices in production environments. Remember, your code should be clean and maintainable, and security should always be a priority.

Following the simple steps outlined here will help you manage your API keys properly, whether you're working on personal projects or deploying to production.

© 2025

Elena Medvedeva. Created by Elena Aseeva. Some assets are created by freepik.com