DEVELOPERMarch 30, 2025·9 min read

API Key Security Best Practices: The Complete 2025 Checklist

API keys in git commits. Keys with no expiry. No rotation policy. This is how most breaches start. Here is the correct approach.

The hidden breach surface: API keys

API keys are credentials, but they're often treated as configuration rather than secrets. They end up in .env files committed to GitHub, hardcoded in mobile apps, logged in server access logs, and passed in URL query strings where they're visible in browser history and server logs. The consequences are real: exposed AWS keys have resulted in six-figure cloud bills within hours of exposure.

Generation: what a good API key looks like

A strong API key should have at least 128 bits of cryptographic randomness — roughly 32 hexadecimal characters or 22 base64url characters. It should be generated using a cryptographically secure random number generator, not a hash of predictable inputs. PassGeni's Team plan generates API keys using this standard — pg_live_ prefix, 40 random hex characters, SHA-256 hashed before storage.

Storage: never commit, never log

  • Store API keys in environment variables, not in code files. Use .env for local development and your CI/CD platform's secret store for deployed environments.
  • Add .env to .gitignore immediately when creating a project — before your first commit.
  • Audit your existing git history for committed secrets: git log --all --full-history -- .env
  • Never log API keys, even in debug output. Use request IDs or key prefixes (first 8 characters) for log correlation.
  • Never pass API keys in URL query parameters — they appear in access logs, browser history, and referrer headers.

Scope restriction: principle of least privilege

Most API key systems allow you to restrict a key's permissions. A key used to read analytics data should not have write access. A key for a frontend widget should not have admin access. Scope every key to the minimum permissions required for its specific use case.

Rotation: when and how

Rotate API keys when: a team member with access leaves; you suspect exposure; you're doing a security audit; or you're decommissioning a service that had access. Build rotation into your offboarding checklist. PassGeni's Team dashboard provides one-click key rotation with immediate invalidation of the old key.

Leak detection

Set up GitHub secret scanning (free for public repos, available for private repos with Advanced Security). Configure AWS CloudTrail, GCP Audit Logs, or equivalent for unusual API call patterns. Services like GitGuardian monitor commits in real time for credential patterns. For critical keys, set up alerts on first-use from a new IP range.

Key topics
API key securitysecrets managementgit secretsAPI key rotationdeveloper security
Was this post useful?
Frequently asked questions

Questions about this topic

How do I check if I have accidentally committed API keys to git?

+

What should I do if I accidentally push an API key to GitHub?

+

Is it safe to store API keys in environment variables on a VPS?

+
More posts

Related reading

API Security Best Practices in 2025: Keys, Tokens, and Secrets

10 min read →

How Password Hashing Works: bcrypt, Argon2, and What Your App Should Use

9 min read →