TL;DR
An API key is a secret code that identifies your app when it talks to external services like Stripe, OpenAI, or Supabase. Think of it like a password for your software. If someone gets your API key, they can use (and abuse) those services as if they were you. Never put API keys in your code. Store them in environment variables instead.
The Simple Explanation
When your app needs to talk to another service (like processing a payment through Stripe or getting an AI response from OpenAI), it needs to prove who it is. The API key is that proof.
Imagine walking into a private club. The bouncer asks for your membership card. The API key is that membership card for your software.
Why API Keys Matter for Security
According to GitGuardian's 2024 report, over 12.8 million new secrets (including API keys) were exposed in public GitHub repositories. The average cost of a data breach involving credentials is $4.5 million according to IBM's 2024 Cost of a Data Breach Report.
When API keys are exposed:
- Financial damage: Attackers can run up your bills (crypto mining on AWS, mass API calls to OpenAI)
- Data access: They might access your database or customer data
- Service abuse: Your accounts can be banned for terms of service violations
- Reputation harm: Customer trust is hard to rebuild after a breach
Public vs Secret Keys
Many services give you two types of keys:
- Public/Publishable keys (like Stripe's pk_live_...): Can be used in frontend code because they have limited permissions
- Secret keys (like Stripe's sk_live_...): Have full access and must only be used on the server side, never exposed to browsers
Common mistake: Using your secret key in frontend JavaScript. This exposes it to anyone who views your page source. Secret keys belong on your server only.
How to Protect Your API Keys
1. Use Environment Variables
Instead of putting keys directly in your code, use environment variables:
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY);
2. Add .env to .gitignore
Your .env file should never be committed to git.
3. Use Your Platform's Secrets Manager
When deploying, use your hosting platform's secure environment variable storage:
- Vercel: Project Settings, Environment Variables
- Netlify: Site Settings, Environment Variables
- Railway: Project Variables
- Supabase: Project Settings, Vault
4. Enable Secret Scanning
GitHub offers free secret scanning that alerts you if API keys are pushed to your repository. Enable it in your repository settings under Security.
What to Do If Your Key Is Exposed
- Rotate immediately: Generate a new key in the service's dashboard
- Revoke the old key: Delete or deactivate the compromised key
- Check for damage: Review logs for unauthorized usage
- Find the leak: Use
git log -p | grep "sk_"to find where it was exposed - Clean git history: Use BFG Repo-Cleaner or git filter-branch if committed
What happens if my API key is exposed?
If your API key is exposed, attackers can use it to make requests on your behalf. This could result in unauthorized charges to your account, access to your data, or abuse of the service. You should immediately rotate (replace) any exposed API key.
Where should I store my API keys?
Store API keys in environment variables, not in your code. Use .env files locally (never commit them to git) and your hosting platform's secrets management in production (like Vercel Environment Variables or Railway Variables).
What is the difference between public and secret API keys?
Public (or publishable) keys can be used in frontend code because they have limited permissions. Secret keys have full access and must only be used on the server side, never exposed to browsers. For example, Stripe uses pk_ for public keys and sk_ for secret keys.