1

I finished a project that contains an API Key and I want to upload it to Github. I want to be careful not to expose the API Key on Github.

Two methods I've discovered are

  1. Using .gitignore to hide the file(s) containing sensitive information
  2. Simply changing the API Key value to "YOUR-API-KEY-HERE" before uploading to Github. Like so:

ApiKey="YOUR-API-KEY-HERE"

Questions

If the file containing my API Key is 'hidden' in gitignore and I upload my project to Github, will this cause my project to not function properly by anyone who downloads it because the project can't find the 'hidden' API Key? If someone looks at my project on Github, are the 'hidden' files inaccessible to them?

In which cases should I use Gitignore or the "YOUR-API-KEY-HERE" method?

Improve this question
1
  • 2
    Ideally, your API key should never be in the codebase to begin with. A common option is to take the API key by environment variable or command-line flag, with the CI system and/or deployment (Kubernetes, etc) handling the key on your behalf. Alternatively, the API key may be stored in a file or database present when the application is deployed rather than hardcoded in development. Commented Dec 28, 2020 at 18:52

1 Answer 1

Reset to default
1

Typically, other individuals who download your code will need to acquire their own API key to make your project run (depending on how your project is setup). They will then add the API Key to their fork (as a secret) or local repository on their machine.

You can securely store your API key as a "Secret" in your GitHub repository by going to:

  1. Settings tab at top of your repo
  2. Secrets option near bottom of left-most column
  3. New Repository Secret
  4. Enter the variable name for your API Key in the Name field

example: SECRET_API_KEY

  1. Enter your API Key value into the Value field.
  2. Add Secret

Now you just need to ensure that your project references the SECRET_API_KEY variable.

Note: Other individuals will not be able to access this Secret. Only you, as repo owner, can access this key. Other developers will need to acquire their own API key and store it as a secret in their fork of your project.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

When a user forks my project and has their own API Key, are they explicitly asked by Github right after forking to supply the key as a secret on their website or does the user have to look around on the website for the option to supply the key as a secret?
I'm happy to test this with you. Are you willing to share the url to your repository? I will fork it and check and see what happens with the Secrets section. My impression is that I would need to create my own API key to get things to work. If this were my project, I'd explicitly mention that in the README so that others are aware.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.