<a href="https://colab.research.google.com/github/vanderbilt-data-science/ai-summer-2025/blob/main/api_keys.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# API Keys: Best Practices for Security

by Myranda U. Shirk
Vanderbilt AI Summer 2025
Made with help from Windsurf IDE :)

**What is an API Key?**

An API key is a unique identifier that is used to authenticate a user or application when making requests to an API.

**How do I use an API Key in my code?**

In Python, you usually use an API key in your code by storing it in a variable and then passing it as a parameter to the API request. Some libraries will accept your API key as a parameter, while others will require you to set it as an environment variable. We'll look at examples of both.

**General Guidelines for API Keys**

1. Never hardcode your API key in your code. This is a security risk.
2. Never commit your API key to a public (or even private!) repository.
3. Never share your API key with anyone.
4. Never expose your API key in a public place, such as a website or blog, or files that others can access.

## Code Examples

Here is one of the most common mistakes I see with API Keys.

In [None]:
import os

# store api key

my_example_api_key = "asdfasdflkjf"

# set api key to environment variable

os.environ["API_KEY"] = my_example_api_key


*Question: What's wrong with this?*

*Your Answer:*

Or this iteration:

In [None]:
import requests

# Example API endpoint
url = "https://api.example.com/data"

# Include the API key in the headers
headers = {
    "Authorization": f"Bearer {my_example_api_key}",
    "Content-Type": "application/json"
}

# Make the GET request
response = requests.get(url, headers=headers)


*Question: Now, what's wrong with this one?*

You WILL be tempted to do this! Don't give in!

## Coding Best Practice

Now let's look at how to do this the right way! I'll be using an easy password library called getpass. If you don't have it installed, use the below command to install it:

pip install getpass

In [None]:
from getpass import getpass

# when run, this will prompt you to enter the API key in the terminal

my_example_api_key = getpass("Enter your API key: ")

# set api key to environment variable

os.environ["API_KEY"] = my_example_api_key


Let's look at a real example in HuggingFace.

In [1]:
# import HF libraries
from huggingface_hub import HfApi
import os
from getpass import getpass

hf_token = getpass("Enter your Hugging Face token: ")

#set env variable
os.environ["HF_TOKEN"] = hf_token



# get list of models
models = HfApi().list_models(filter="text-classification")

count = 0
for model in models:
	print(model)
	count += 1
	if count == 5:
		break


ModelInfo(id='NousResearch/Minos-v1', author=None, sha=None, created_at=datetime.datetime(2025, 4, 24, 4, 38, 23, tzinfo=datetime.timezone.utc), last_modified=None, private=False, disabled=None, downloads=2822, downloads_all_time=None, gated=None, gguf=None, inference=None, inference_provider_mapping=None, likes=111, library_name='transformers', tags=['transformers', 'safetensors', 'modernbert', 'text-classification', 'base_model:answerdotai/ModernBERT-large', 'base_model:finetune:answerdotai/ModernBERT-large', 'license:apache-2.0', 'autotrain_compatible', 'endpoints_compatible', 'region:us'], pipeline_tag='text-classification', mask_token=None, card_data=None, widget_data=None, model_index=None, config=None, transformers_info=None, trending_score=13, siblings=None, spaces=None, safetensors=None, security_repo_status=None, xet_enabled=None)
ModelInfo(id='facebook/bart-large-mnli', author=None, sha=None, created_at=datetime.datetime(2022, 3, 2, 23, 29, 5, tzinfo=datetime.timezone.utc), 