Protect secrets
- Store API keys in a secrets manager.
- Restrict secret access by environment and role.
- Avoid logging full keys.
Limit blast radius
- Use separate keys for each environment and integration.
- Revoke compromised or unused keys immediately.
Rotate keys
- Rotate on a fixed schedule.
- Rotate after team or vendor access changes.
- Test key rollover before revoking the old key.
Validate failures safely
When troubleshooting auth failures:- Check header format first.
- Confirm product and endpoint access requirements.
- Avoid sharing raw keys in tickets or chat.
