How to safely store API keys in a GitHub project?

[laxucoder]

Select Topic Area

Question

Body

I am working on a small project and I want to keep my API keys secure.
What is the best way to store them without exposing them in a public repository?

[Suyashtiwari-7]

The short answer: never store API keys directly in your repository, especially in a public one.

Here are the safest and most common approaches:

1️⃣ Use GitHub Secrets (Best for projects using GitHub Actions)

If your project uses CI/CD, store your API keys in Repository Secrets:

Repository → Settings → Secrets and variables → Actions → New repository secret

Then reference them in your workflow:

env:
API_KEY: ${{ secrets.API_KEY }}

Secrets are encrypted and never exposed in logs (unless you explicitly print them).

2️⃣ Use Environment Variables (Best for local development)

Store keys in environment variables instead of hardcoding them.

Example:

.env file (do NOT commit this):

API_KEY=your_key_here

Add .env to your .gitignore so it never gets pushed.

Then load it in your app (depending on your language/framework).

3️⃣ Use Environment Protection (For production deployments)

If deploying via GitHub, use Environment Secrets with protection rules.
This allows tighter control over production credentials.

4️⃣ If You Accidentally Commit a Key

Immediately:

Revoke/regenerate the key from the provider.

Remove it from Git history.

Rotate credentials.

Never assume deleting the file is enough — Git history keeps it.

[MHassan-Tariq]

The "Gold Standard" for Securing API Keys on GitHub
To keep your keys safe while maintaining a functional repository, follow this three-layer approach:

1. Local Security: The .env and .gitignore Combo
   Never hardcode keys directly into your source code. Instead, use environment variables.

Create a .env file: Store your keys here locally (e.g., STRIPE_KEY=sk_test_51...).

Update .gitignore: Immediately add .env to your .gitignore file. This tells Git to never track this file, ensuring it never leaves your machine.

Create a .env.example: Commit a template file (e.g., STRIPE_KEY=your_key_here) so other contributors know which variables they need to set up without seeing your actual values.

2. Production Security: GitHub Secrets
   If your project uses GitHub Actions for testing or deployment, you don't need a .env file on GitHub.

Go to your repository Settings > Secrets and variables > Actions.

Add a New repository secret. These are encrypted and can only be accessed by your code at runtime—they are never visible in the clear.

In your workflow YAML, reference them like this: API_KEY: ${{ secrets.MY_API_KEY }}.

3. Safety Nets: Enable Push Protection
   GitHub now offers Push Protection for free on public repositories.

Go to Settings > Code security and analysis.

Ensure Secret scanning and Push protection are enabled.

If you accidentally try to commit a known secret format (like an AWS or Google Cloud key), GitHub will block the push before it reaches the server, saving you from a potential leak.

What if I already committed a key?
[!CAUTION]
Deleting the code is not enough. The secret remains in your Git history.

Revoke/Rotate: Treat the key as compromised. Deactivate it immediately in your provider's dashboard (e.g., OpenAI, AWS).

Scrub History: Use a tool like git-filter-repo or BFG Repo-Cleaner to remove the secret from every past commit in your repository's history.

Force Push: You will need to force-push the cleaned history to GitHub (git push --force).