Security

Keep project API keys private.

A project API key can send content into a project, so treat it like a backend secret.

• Store keys in backend environment variables.
• Rotate keys that were exposed.
• Create separate keys for development and production.
• Delete unused keys from the project dashboard.

• Put project keys in frontend JavaScript.
• Commit keys to Git.
• Share one key across unrelated projects.
• Paste production keys into public logs.