API security (key management)


I’ve created an app for myself – a simple word processor in Python – and I have a couple of author friends interested in trying it out.

I’ve created apps in the past and shared them but I’m new to sharing apps that have an API key and I don’t know where to start with key management security, the software or best practices.

I’ve read the OpenAI best practises around the subject but it seems to be for people who already know their way around that kind of thing.

So, how do I add my API key securely to my app so I can share it?

Thank you for reading,


Your app should have a user interface and a server hosted somewhere.
The API key should be stored on the server environment variables.

The end users will not have access to the API key because all OpenAI API requests will be sent via your server.

The environment variables storage differ from a server to another.

An easy way to start is with Heroku.
A lot of configuration is made through its dashboard. Including the environment variables.

1 Like

Thank you!

I notice Heroku mentions Windows/Linux and Django. I should have said that the app is currently on a Mac and uses tkinter. Will this matter?

You will need to install Heroku CLI on your Mac to run the app locally.

I don’t know how the Mac works, but it definitely runs on Mac OS.

Here is a tutorial.

When you think that your app is ready for sharing, you will have to deploy your local version of the app to Heroku via CLI.

You will need to store the API key on your machine environment variables when it runs locally and on Heroku for online use.

Thank you again.

My app is a standalone and not web-based, will this be a problem?

All you need to do to solve your key management problem is to store the environment variables using the heroku dashboard.

See using Heroku Dashboard section here:

Wonderful. Thank you!

If it’s a standalone app you will pass the API key when you pass the web app.