Reference · How-to · ~5 min

How to secure API keys

Last updated

Keep provider keys off the client and out of Git — a 5-minute security pass.

Keep provider keys off the client and out of Git — a 5-minute security pass.

Steps

1. **Environment variables** — `OPENAI_API_KEY` on the server only.

2. **Proxy route** — Browser calls `/api/chat`; server adds the key.

3. **Ignore `.env`** — Confirm `.env*` is in `.gitignore`.

4. **Rotate on leak** — Revoke old keys in the provider dashboard immediately.

5. **Rate-limit your route** — Per-user caps so one tab can't drain your budget.

Copy-paste checklist

[ ] Key only in server env / secret manager
[ ] No key in NEXT_PUBLIC_* vars
[ ] No key in client bundles or Storybook
[ ] Logging scrubs Authorization headers
[ ] Separate keys for dev vs prod

Watch out

Screenshots, error reports, and CI logs often **leak keys**. Scan repos with a secret scanner before going public.

**Try the lesson:** `llm-api-hello` in Lane D