-
Notifications
You must be signed in to change notification settings - Fork 4
API Keys & Secrets
API keys, private tokens, and service credentials must never be committed to any repository β public or private.
Leaking a key can expose systems, incur billing charges, or compromise client data.
This page explains how to properly manage secrets using environment variables, secure .env files, and safe rotation practices.
Why this rule exists
Even if a repo is private, you must assume it could become exposed.
Secrets committed into Git history are permanently retrievable, even after deletion.
Risks include:
- Unauthorized access to external APIs
- Financial cost for abused tokens
- Security responsibility for leaked client data
- Public exposure if the repo is ever made open-source
If a secret is committed, you MUST rotate it immediately.
How to store credentials with environment variables
Environment variables keep secrets separate from your codebase.
Examples of environment-based access:
API_KEY=abcd1234
AUTH_TOKEN=somerandomvalueThen access it in code:
const apiKey = process.env.API_KEY- Use
.envfiles locally - Read values using
process.env.VARIABLE_NAME - Never hardcode strings like
apiKey = "12345" - Document what environment variables are required
Rules for handling .env files
.env files contain secrets β treat them like passwords.
- Always add
.envto.gitignore - Do not upload
.envto GitHub - Do not send
.envin Slack/Discord/Email - Store
.envfiles locally or in secret managers
Example .gitignore entry:
.env
.env.production
.env.development- Share via secure channels (Bitwarden, 1Password, encrypted file transfer)
- Never commit for convenience
How to work safely without exposing keys
- Keep personal
.envlocal per developer - Use
.env.exampleto show variable names without real values - Document required keys in the README or wiki
Example .env.example:
API_KEY=
FIREBASE_PROJECT_ID=
EAS_SECRET_TOKEN=Developers fill in values privately β not stored in repo.
- Comment purpose of each variable in
.env.example - Use different keys for dev and prod environments
When rotation is required and how to do it safely
API credentials must be rotated (replaced) when:
- A key is accidentally committed
- A team member leaves the project
- A repository is made public
- A device with secrets is lost
- Client requests renewal
- Generate a new key in provider dashboard
- Replace old key in
.envor secret manager - Remove any committed references
- Notify team to update their
.env - Invalidate/delete old key
Never leave old keys active.
Home β’ New Student Onboarding β’ Guides β’ Projects β’ Code of Conduct β’ FAQ
Last updated: 12/7/2025