Reference · How-to · ~5 min
How to secure API keys
Last updated
Keep provider keys off the client and out of Git — a 5-minute security pass.
Keep provider keys off the client and out of Git — a 5-minute security pass.
Steps
1. **Environment variables** — `OPENAI_API_KEY` on the server only.
2. **Proxy route** — Browser calls `/api/chat`; server adds the key.
3. **Ignore `.env`** — Confirm `.env*` is in `.gitignore`.
4. **Rotate on leak** — Revoke old keys in the provider dashboard immediately.
5. **Rate-limit your route** — Per-user caps so one tab can't drain your budget.
Copy-paste checklist
[ ] Key only in server env / secret manager
[ ] No key in NEXT_PUBLIC_* vars
[ ] No key in client bundles or Storybook
[ ] Logging scrubs Authorization headers
[ ] Separate keys for dev vs prodWatch out
Screenshots, error reports, and CI logs often **leak keys**. Scan repos with a secret scanner before going public.