Use API Keys Securely
Custodian Labs API keys authenticate requests and are tied to account usage, request limits, and plan access.
Treat API keys like passwords.
Do
- Store keys in environment variables or a secret manager.
- Call Custodian Labs APIs from your backend.
- Restrict who can access production keys.
- Rotate a key if it may have been exposed.
- Use separate keys or environments when your team supports them.
Do Not
- Do not put API keys in frontend browser code.
- Do not commit keys to GitHub.
- Do not paste real keys into docs, screenshots, issues, or chat messages.
- Do not share production keys in local test scripts.
- Do not log full API keys.
Local Development
Use environment variables:
export CUSTODIAN_API_KEY="your_api_key_here"
export CUSTODIAN_API_BASE_URL="<your_api_base_url>"
Read the values from your application configuration instead of hard-coding them.
Production
Use your platform's secret storage, such as:
- Vercel Environment Variables.
- AWS Secrets Manager.
- Google Secret Manager.
- Azure Key Vault.
- Kubernetes Secrets.
Only backend services should read the key.
If a Key Is Exposed
If a key appears in a public place or is sent to the wrong person:
- Stop using that key.
- Remove it from code, logs, screenshots, or messages where possible.
- Rotate or revoke the key.
- Update your backend environment with the new key.
- Check usage for unexpected activity.
Safer Backend Pattern
Frontend
-> Your backend endpoint
-> Custodian Labs API with X-API-Key
-> Your backend
-> Frontend
This keeps the key away from the browser and lets your backend control validation, logging, retries, and rate handling.