How to store API credentials safely

· Category: API & REST

Short answer

API credentials must be stored in dedicated secret management systems rather than hardcoded or stored in plaintext.

Steps

  1. Remove all credentials from source code and configuration files committed to version control.
  2. Use environment variables injected at runtime for non-sensitive configuration.
  3. Store secrets in a dedicated vault such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault.
  4. Encrypt secrets at rest and restrict access using role-based policies.
  5. Rotate credentials periodically and automate the update process.

Tips

  • Use short-lived dynamic credentials where possible.
  • Audit access logs to detect unauthorized secret retrieval.
  • Separate secrets by environment to limit blast radius.
  • Use sealed secrets or encrypted gitops workflows for Kubernetes.

Common issues

  • Credentials accidentally committed to public repositories.
  • Overly broad IAM policies allowing excessive secret access.
  • Lack of rotation leading to stale or compromised keys remaining valid.
  • Developers sharing credentials through insecure channels like chat or email.

Example

curl -X GET https://api.example.com/users   -H "Accept: application/json"   -H "Authorization: Bearer $TOKEN"

This curl command demonstrates a standard GET request with headers for content negotiation and bearer token authentication.

Additional context

Applying these principles consistently across projects leads to more maintainable systems, clearer team communication, and better outcomes for end users. Regular review and refinement of practices ensure continuous improvement.