API Key Management (unsure of where to start)

I’ve spent the past few months working on an app that’s about ready for release, but I have to remove an API key from the source code and place it server side. What services or server applications would you recommend? I would appreciate any suggestions.

Simplest way is to set your API keys as environment variables, then you get to use the environ.get function from inside your code, that way only your server has the API key.

export OPENAI_API_KEY="your_openai_api_key"
Linux CLI

import os

openai_api_key = os.environ.get('OPENAI_API_KEY')

# Example usage
print(openai_api_key)  # Print the API key

code in python to pull it back

you can add the export command to your bash.rc so it’s always loaded

Any tips on how I can achieve this on iOS or android? I’m using Kivy-iOS and Python-For-Android.

API keys should not be on the device, typically you would have a server that your app connects to for API call handling and that is where your API keys are stored, AWS, Azure and others do offer an API key handling system as part of their solutions, not used them myself though.

That’s something I was reading about, that it should be hosted server side. I’ve been having difficulty figuring it out though, navigating through the corporate jargon and dozens of services AWS, Azure, and competitors have to offer hasn’t gotten me anywhere yet.

Ok, well, one of the simplest implementations of a “remote host server” is you running a spare laptop in your garage. You put linux on it and you hook it up to your internet, so long as it has a static IP… there is your “remote server” you can tell your app to connect to that machine and it handles the call to the OpenAI API and returns your responses, it could also serve your web pages via a python flask app. (Thats 's why you see the example code in js and python)

The next step up from that (or down depending on your views of hosting services) is a few $ a month “VPS” that is a virtual machine running on a company’s infrastructure that you rent, it acts just like a normal machine and you remote login via SSH or some GUI app, that machine is exactly like your home spare laptop, except it’s hooked up to (usually) more stable internet connections and reliable hardware, in a similar line is co-lo (co-located) servers where you have a physical machine built and you ship it off to the company, who hook it up to their internet connections and power delivery, and you have it all to yourself and you run your stuff on there.

A step up (for some :smiley: ) again is AWS or Azure or any of the other hundreds of managed services, these are virtual machines that allow you to deploy your app and web server on scalable hardware and software, it’s all basically just a machine to run your code and web pages from. Only the AWS and Azures of the world allow cool stuff like edge compute (where your services are close to users) and distributed databases and other stuff that helps greatly with scalability and uptime.

It’s all just versions of a remote machine somewhere, so don’t let the techy jargon put you off. :smiley:

Good thing I have an old dell R710 and R720 laying around!! I could get it all set up on the R710 for now and consider switching to AWS or Azure if demand ever grows beyond what I can host at home. What I’m still unsure of is how the AWS and Google Cloud API key gateways work. Are those services only for apps hosted on their platform? I was interested in an option like that, but can’t seem to find straight forward directions on how I would integrate that with my app. As for hosting it on my own servers, what programs would you recommend I look into? Also is it a good option to use the built in android and iOS keystore? I appreciate the information!

1 Like

The key gateways have your API keys stored internally and they get added to any API requests you make via them, but if you are going to self host then you just need the keys to be on your server (preferably in the environment variable) and you’re all set.

Sounds pretty straightforward, I’ll set that up! I’m not exactly sure of how to pass API requests through the server though, any suggestions? Also is there any way to control where the requests come from to prevent abuse?

I’d probably start with looking at Firebase Functions unless you’re really excited about running your own servers.


I would definitely prefer to use a service like that instead of hosting it myself, I’ll take a look into that. I appreciate the info!

So I have the firebase function set up and it appears to be running, but the tutorial doesn’t really go into detail on how to connect it on the client side. I’d appreciate any suggestions!

Update: it took a few days to learn how to use firebase and set everything up correctly with my app, but I figured it out and everything is working as intended! Thanks again for pointing me in the right direction, the article was very helpful!


The cheapest would be to buy an atmega chip and two crystals and build a microntroller and add a network interface.
Could be less than a dollar :sweat_smile: