In 2022, Toyota accidentally exposed a credential in a public GitHub repository that gave access to nearly 300,000 customer email addresses and management numbers. The key had been public for five years before anyone noticed. This is not a rare incident. Researchers estimate that millions of API keys and secrets are exposed on GitHub every year. If you build anything with modern technology, you almost certainly have secrets that need protecting.

What Are API Keys and Why Do They Matter?

An API key is a credential that identifies and authenticates a request to an application programming interface. Think of it as a password that software uses to talk to other software. When your app sends an email through SendGrid, processes a payment through Stripe, or stores a file in AWS S3, it authenticates with an API key.

Other types of secrets include:

  • API tokens that grant specific permissions to services
  • Database passwords that control access to your data stores
  • OAuth client secrets used in authentication flows
  • SSH private keys for server access
  • Encryption keys that protect data at rest
  • Webhook signing secrets that verify incoming requests

Unlike human passwords, API keys often grant broad programmatic access. A leaked AWS root key can spin up thousands of servers for cryptocurrency mining in minutes. A leaked Stripe key can process fraudulent charges. A leaked database password exposes every record.

How Secrets Get Exposed

Most secret exposure is accidental. Nobody intentionally publishes their AWS credentials to the internet. The most common exposure vectors include:

Public Code Repositories

The single largest source of leaked secrets is version control. A developer hardcodes an API key during testing, forgets to remove it, and pushes to a public GitHub repository. Automated bots scan every new commit on public repositories and can exploit leaked keys within minutes of publication. Even if you delete the commit, it remains in the Git history unless you rewrite it.

Client-Side Code

Any secret embedded in JavaScript that runs in a browser is visible to anyone who opens developer tools. This includes mobile apps, which can be decompiled. If your frontend code contains an API key, assume it is public.

Configuration Files and Logs

Secrets end up in configuration files that get committed, log outputs that get stored, error messages that get displayed, and Docker images that get published. Each of these is a potential leak vector that is easy to overlook.

Shared Communication Channels

Developers paste secrets into Slack messages, emails, and shared documents. These channels are often not encrypted at rest and are searchable by other team members or anyone who compromises those accounts.

Securing Your API Keys

Protecting secrets requires both prevention and detection:

  1. Never hardcode secrets in your source code. This is the most fundamental rule. No matter how convenient it seems during development, hardcoded secrets will eventually leak.
  2. Use environment variables to inject secrets at runtime. Your code reads process.env.API_KEY instead of containing the key itself. The key exists only in the deployment environment, not in the codebase.
  3. Add secret files to .gitignore before your first commit. Files like .env, config.local.json, and *.pem should never be tracked by version control.
  4. Use pre-commit hooks with tools like git-secrets or detect-secrets to scan for credentials before code is committed. This catches accidents before they become public.
  5. Rotate secrets regularly and immediately after any suspected exposure. Treat API keys like passwords: they should be changed periodically and immediately revoked if compromised.
  6. Apply the principle of least privilege by using API keys with the minimum permissions necessary. A key that only needs to read data should not have write access.

Secret Management Tools

For anything beyond a simple personal project, you should use a dedicated secret management system:

  • Environment variable files (.env) work for local development but are insufficient for production. They are a starting point, not a complete solution.
  • Cloud provider secret managers like AWS Secrets Manager, Google Secret Manager, and Azure Key Vault provide encrypted storage, access logging, automatic rotation, and fine-grained access control.
  • HashiCorp Vault is an open-source tool for managing secrets across multiple environments. It provides dynamic secrets (generated on demand with expiration), encryption as a service, and detailed audit logs.
  • Doppler and 1Password for developers offer team-friendly interfaces for managing secrets across projects and environments without the complexity of enterprise tools.

What to Do When a Secret Is Exposed

If you discover that a secret has been exposed, act immediately:

  1. Revoke the compromised key immediately. Do not wait to investigate. Revoke first, then assess.
  2. Generate a new key and update it in all systems that use it.
  3. Check access logs for unauthorized usage during the exposure window.
  4. Remove the secret from Git history using tools like BFG Repo-Cleaner or git filter-branch if it was committed to a repository.
  5. Identify the root cause and implement safeguards to prevent recurrence.

API keys and secrets are the silent backbone of modern applications. They deserve the same level of care and attention as any other credential, yet they are routinely treated as an afterthought. Building good habits around secret management is one of the highest-impact security practices you can adopt.

Share this article