Member-only story
How to Secure Your API Keys (And Why .env Files Aren’t Enough)
I need to tell you about something that happened to a developer I know. Let’s call him Alex.
Alex built a side project. A simple web app that used the OpenAI API. He put his API key in a .env file, added .env to his .gitignore, and pushed his code to GitHub. Secure, right?
Three weeks later, his OpenAI bill was $4,800.
What happened? He committed the .env file once, early in the project, before adding it to .gitignore. He removed it later, but the key was still in his git history. A bot found it, scraped it, and someone used his key to run crypto mining operations disguised as API calls.
GitHub has secret scanning now, but Alex’s story isn’t unique. In 2025, hardcoded API keys discovered in public repositories continue to lead to unauthorized access, massive bills, and data breaches.
Let’s talk about how to actually secure your API keys, beyond the basic advice that clearly isn’t working.
Why .env Files Are Just the Starting Point
Look, .env files are better than hardcoding keys directly in your source code. I'm not saying don't use them. But they're step one of ten, not the complete solution.
