API keys are the backbone of modern software. They connect your application to payment processors, cloud services, databases, email providers, and more. A leaked API key can cost thousands of dollars in unauthorized usage, expose customer data, or take down your entire application.
The real cost of a leaked API key
In 2025, exposed AWS keys led to average unauthorized charges of $15,000 before detection. Stripe key leaks have resulted in fraudulent payments. GitHub reports scanning billions of commits and finding millions of exposed secrets. The risk is not theoretical — it is a daily reality for development teams.
How API keys get leaked
- Pasting keys in Slack or Teams channels — searchable, backed up, visible to all members.
- Committing .env files to Git — even deleted commits persist in Git history.
- Sharing keys via email — permanent, forwardable, backed up on multiple servers.
- Storing keys in shared Google Docs — insufficient access control, no audit trail.
- Hardcoding keys in source code — deployed to production, visible in build artifacts.
Secure API key sharing workflow
Step 1: Generate the key in a secure environment
Generate API keys directly from the provider's dashboard. Never create keys on shared or public machines. Use your personal, secured device.
Step 2: Share via encrypted one-time link
Paste the API key into PassLink. Set expiration to 1 hour (or 24 hours for async teams). Add password protection for production keys. Send the link to the team member.
Step 3: Recipient saves to secrets manager
The recipient opens the link, copies the key, and stores it in the project's secrets manager (AWS Secrets Manager, HashiCorp Vault, Doppler, or .env.local for development).
Step 4: Confirm and rotate
Confirm the recipient has saved the key. The link self-destructs. If the key was for initial setup, consider rotating it after the first successful integration test.
Environment-specific key management
Development: Use .env.local files (gitignored). Share initial values via one-time links. Each developer should have their own API keys when possible.
Staging: Store keys in CI/CD secret variables (GitHub Secrets, GitLab CI). Use separate keys from production.
Production: Use a dedicated secrets manager (AWS Secrets Manager, Vault, Doppler). Rotate keys every 90 days. Monitor for unauthorized usage.
Recommended tools for API key management
- PassLink — For one-time key distribution to team members. Free, zero-knowledge, no account required.
- AWS Secrets Manager — For production key storage with automatic rotation and IAM access control.
- HashiCorp Vault — For enterprise-grade secrets management with dynamic secrets and lease-based access.
- Doppler — For developer-friendly environment variable management across all stages.
- GitHub Secrets — For CI/CD pipeline secrets with repository-scoped access.
Domande frequenti
Should I use different API keys for each environment?
Absolutely. Using the same key across development, staging, and production means a leak in any environment compromises all of them. Always generate separate keys per environment.
How often should I rotate API keys?
Rotate production keys every 90 days. Rotate immediately if a team member with access leaves the organization. Rotate immediately if you suspect any key may have been exposed.
What should I do if I accidentally commit an API key to Git?
Immediately revoke the key from the provider's dashboard and generate a new one. The old key should be considered compromised even if you force-push to remove the commit, because Git history and cached clones may still contain it.
Conclusione
API key security is not just a best practice — it is a business requirement. By using encrypted one-time links for distribution, environment-specific keys, and a proper secrets manager for storage, you can protect your team and your customers from costly security incidents.
Prova PassLink — È Gratis
Crea un link crittografato e autodistruttivo in 10 secondi. Nessuna registrazione.
Crea un Link Segreto Ora