How do you store your API Keys in production?

It’s a best practice that API keys must never be stored inside code or with the software that is distributed.

So it makes sense to have a middleware that would safely store the API key and somehow allow the validated requests to be sent to the OpenAI API with the valid (and securely stored) API key.

Have you deployed your OpenAI based application to production? What was your approach?

1 Like

usually you use environment variables for API keys, as well as other environment-dependent configurations (credentials, etc)

Yes, that would make sense in development. For production however, the API key must never end up on the client side.

thats why you use environment variables


How would one allow an end user to use one’s software without having access to the API key? From what I understand, an environment variable is local and not a very secure thing.

Nevermind, I am reading about cloud endpoints, ESP’s and API key management. For anyone that ever needs it, this is a decent resource Why and when to use API keys  |  Cloud Endpoints with OpenAPI  |  Google Cloud!


Hi @FlashAndromeda,

Thanks for sharing.

1 Like

We published a post about how we’re helping people do this using a gateway Protect your OpenAI API Keys | Zuplo Docs


That sounds like a great product for devs looking to consume the completions endpoint for their product.

Nicely done docs too!

Would be great to see docs on consuming the images endpoint as well.

Actually, completions is just an example there - it should work similarly for any HTTP API.

1 Like