API Key Security

Keep Your Keys Secret

Your API key provides access to your organization's standards and API specs. Treat it like a password — never share it publicly, commit it to a code repository, or include it in client-side code.

• Store API keys in environment variables, not in source code.
• Never paste API keys in public channels like Slack or email.
• Use a secrets manager if your infrastructure supports it.

Rotate Keys Regularly

Even if you have not had a security incident, rotating your API keys periodically is a good practice. We recommend rotating keys at least every 90 days. You can rotate a key from the API Keys page in your settings.

When you rotate a key, update it in all the tools that use it before the old key expires.

Use Descriptive Names

When you create an API key, give it a name that tells you where it is used. For example, "Cursor - Work Laptop" or "CI/CD Pipeline." This makes it easy to know which key to revoke if a device is lost or a service is decommissioned.

What to Do If a Key Is Leaked

If you suspect an API key has been exposed:

1. Revoke the key immediately from the API Keys page.
2. Create a new key and update your tools with the new value.
3. Review activity logs to check for any unauthorized access.
4. Notify your team so they are aware of the incident.

Acting quickly limits the potential impact of a leaked key.