How do you store your API Keys in production?

It’s a best practice that API keys must never be stored inside code or with the software that is distributed.

So it makes sense to have a middleware that would safely store the API key and somehow allow the validated requests to be sent to the OpenAI API with the valid (and securely stored) API key.

Have you deployed your OpenAI based application to production? What was your approach?

1 Like

usually you use environment variables for API keys, as well as other environment-dependent configurations (credentials, etc)

Yes, that would make sense in development. For production however, the API key must never end up on the client side.

thats why you use environment variables


How would one allow an end user to use one’s software without having access to the API key? From what I understand, an environment variable is local and not a very secure thing.

Nevermind, I am reading about cloud endpoints, ESP’s and API key management. For anyone that ever needs it, this is a decent resource Why and when to use API keys  |  Cloud Endpoints with OpenAPI  |  Google Cloud!


Hi @FlashAndromeda,

Thanks for sharing.

1 Like