How to Secure Your AI API Keys in Production

API key leaks cost real money

A leaked AI API key can cost you thousands of dollars in minutes. Bots scan GitHub constantly for exposed keys. Here's how to protect yours.

Rule 1: Never hardcode keys

# ❌ NEVER do this
client = OpenAI(api_key="izzi-sk_live_abc123...")

# ✅ Always use environment variables
import os
client = OpenAI(api_key=os.environ["IZZI_API_KEY"])

Rule 2: Use .env files locally

# .env (add to .gitignore!)
IZZI_API_KEY=izzi-YOUR_KEY
IZZI_BASE_URL=https://api.izziapi.com/v1

# Python
from dotenv import load_dotenv
load_dotenv()

# Node.js
import 'dotenv/config';

Critical: Add .env to .gitignore immediately:

echo ".env" >> .gitignore

Rule 3: Use secret managers in production

Rule 4: Rotate keys regularly

1. Create a new API key in Izzi API Dashboard
2. Update your environment/secret manager
3. Verify the new key works
4. Delete the old key

Recommended rotation schedule: every 90 days, or immediately if you suspect a leak.

Rule 5: Use multiple keys

Create separate keys for different environments:

• 🔑 izzi-dev-... — Development (low limits)
• 🔑 izzi-staging-... — Staging
• 🔑 izzi-prod-... — Production

Rule 6: Monitor usage

Check your Izzi API dashboard regularly for:

• 📊 Unexpected spikes in token usage
• 📊 Requests from unknown IP addresses
• 📊 Usage patterns that don't match your application

Emergency: Key leaked?

1. Immediately delete the key in your dashboard
2. Create a new key
3. Update all deployments
4. Check your usage logs for unauthorized usage
5. Scan your git history: git log -p | grep "izzi-"

Prevention checklist

• ☐ .env is in .gitignore
• ☐ No API keys in source code
• ☐ Production uses secret manager
• ☐ Keys rotate every 90 days
• ☐ Separate keys per environment
• ☐ Usage alerts configured