IzziAPI
🇻🇳Đọc bằng Tiếng Việt
TipsApr 4, 20267 min read

How to Secure Your AI API Keys in Production

Environment variables, secret managers, key rotation, and scope limiting to protect your API credentials.

Izzi API Team
Engineering & DevRel
securityapi-keysenv-varssecrets-managerproduction
How to Secure Your AI API Keys in Production

API key leaks cost real money

Leaked API keys get scraped by bots within 30 seconds of being pushed to a public GitHub repo. One developer reported $12,000 in charges within 2 hours after accidentally committing an OpenAI key. Here's how to prevent that.

Level 1: Environment variables

The minimum acceptable approach. Never hardcode keys in source code.

Bash 
# .env file (add to .gitignore!)
IZZI_API_KEY=izzi-YOUR_KEY_HERE
IZZI_BASE_URL=https://api.izziapi.com/v1
Python 
# Python
import os
from openai import OpenAI

client = OpenAI(
    api_key=os.environ["IZZI_API_KEY"],
    base_url=os.environ["IZZI_BASE_URL"]
)
TypeScript 
// Node.js
import OpenAI from "openai";

const client = new OpenAI({
  apiKey: process.env.IZZI_API_KEY!,
  baseURL: process.env.IZZI_BASE_URL!,
});

Level 2: .gitignore defense

Bash 
# .gitignore — MUST include these
.env
.env.local
.env.production
*.key
*.pem
config/secrets.yml

Add a pre-commit hook to catch accidental commits:

Bash 
# .git/hooks/pre-commit
#!/bin/sh
if git diff --cached --name-only | grep -E '\.(env|key|pem)


Level 3: Secret managers (production)


AWS Secrets Manager



    

      Python
      
    

    
import boto3
import json

def get_api_key() -> str:
    client = boto3.client("secretsmanager", region_name="us-east-1")
    response = client.get_secret_value(SecretId="izzi-api-key")
    secret = json.loads(response["SecretString"])
    return secret["api_key"]

  



Docker secrets



    

      YAML
      
    

    
# docker-compose.yml
services:
  app:
    image: myapp
    secrets:
      - izzi_api_key
    environment:
      - IZZI_API_KEY_FILE=/run/secrets/izzi_api_key

secrets:
  izzi_api_key:
    file: ./secrets/izzi_api_key.txt

  



Level 4: Key rotation


Rotate your API keys every 90 days. On Izzi API:


    

  1. Go to Dashboard → API Keys
    2. 

  2. Create a new key
    3. 

  3. Update your environment/secret manager
    4. 

  4. Verify the new key works
    5. 

  5. Delete the old key
    6. 





    

      Python
      
    

    
def rotate_key():
    """Automated key rotation pattern."""
    new_key = create_new_izzi_key()
    update_secret_manager("izzi-api-key", new_key)
    
    # Verify new key works
    test_client = OpenAI(api_key=new_key, base_url="https://api.izziapi.com/v1")
    test_client.chat.completions.create(
        model="qwen3-30b-a3b",  # Use free model for testing
        messages=[{"role": "user", "content": "ping"}],
        max_tokens=5
    )
    
    # Delete old key after verification
    delete_old_izzi_key(old_key_id)

  



Security checklist




CheckLevelDone?


No hardcoded keys in source codeCritical


.env files in .gitignoreCritical


Pre-commit hook for leak detectionImportant


Secret manager in productionImportant


Key rotation every 90 daysBest practice


Separate keys per environmentBest practice


Monitor usage for anomaliesBest practice





What's next


; then
  echo "ERROR: Attempting to commit secret files!"
  exit 1
fi

if git diff --cached -U0 | grep -E '(izzi-|sk-|gsk_|AIza)'; then
  echo "ERROR: API key detected in staged changes!"
  exit 1
fi

Level 3: Secret managers (production)

AWS Secrets Manager

import boto3
import json

def get_api_key() -> str:
    client = boto3.client("secretsmanager", region_name="us-east-1")
    response = client.get_secret_value(SecretId="izzi-api-key")
    secret = json.loads(response["SecretString"])
    return secret["api_key"]

Docker secrets

# docker-compose.yml
services:
  app:
    image: myapp
    secrets:
      - izzi_api_key
    environment:
      - IZZI_API_KEY_FILE=/run/secrets/izzi_api_key

secrets:
  izzi_api_key:
    file: ./secrets/izzi_api_key.txt

Level 4: Key rotation

Rotate your API keys every 90 days. On Izzi API:

  1. Go to Dashboard → API Keys
  2. Create a new key
  3. Update your environment/secret manager
  4. Verify the new key works
  5. Delete the old key
def rotate_key():
    """Automated key rotation pattern."""
    new_key = create_new_izzi_key()
    update_secret_manager("izzi-api-key", new_key)
    
    # Verify new key works
    test_client = OpenAI(api_key=new_key, base_url="https://api.izziapi.com/v1")
    test_client.chat.completions.create(
        model="qwen3-30b-a3b",  # Use free model for testing
        messages=[{"role": "user", "content": "ping"}],
        max_tokens=5
    )
    
    # Delete old key after verification
    delete_old_izzi_key(old_key_id)

Security checklist

CheckLevelDone?
No hardcoded keys in source codeCritical
.env files in .gitignoreCritical
Pre-commit hook for leak detectionImportant
Secret manager in productionImportant
Key rotation every 90 daysBest practice
Separate keys per environmentBest practice
Monitor usage for anomaliesBest practice

What's next

Ready to start building?

Access 38+ AI models through a single API. Free tier available — no credit card required.

Get API Key — FreeRead Docs
MORE

Related articles

TipsApr 9, 2026
7 Ways to Reduce AI API Costs by 80%

Proven strategies to cut your AI API spending: prompt caching, model routing, free tier optimization, and smart fallbacks.

TipsApr 5, 2026
How Prompt Caching Cuts Your API Costs by 90%

Implement prompt caching to slash input token costs. Python and Node.js examples with real cost comparisons.

TipsApr 11, 2026
AI API Error Handling: Retries, Timeouts & Fallbacks

Production patterns for handling AI API failures: exponential backoff, circuit breakers, model fallbacks, and graceful degradation.

Back to all articles