Your API key can spend your credits, so keep it private — just like a password.
- Store your key on your server, not in code that runs in a visitor's browser or a mobile app.
- Keep it in a secret or environment variable, not pasted directly into your code.
- Never share it publicly or commit it to a shared code repository.
- Use separate keys for separate projects, so you can remove one without affecting the others.
If a key leaks
If you think a key has been exposed, delete it straight away from the API keys page and create a new one. A deleted key stops working immediately and cannot be used again.
Did this help?
If you still have a question, we are happy to help.