Skip to main content

Use API Keys Securely

Custodian Labs API keys authenticate requests and are tied to account usage, request limits, and plan access.

Treat API keys like passwords.

Do

  • Store keys in environment variables or a secret manager.
  • Call Custodian Labs APIs from your backend.
  • Restrict who can access production keys.
  • Rotate a key if it may have been exposed.
  • Use separate keys or environments when your team supports them.

Do Not

  • Do not put API keys in frontend browser code.
  • Do not commit keys to GitHub.
  • Do not paste real keys into docs, screenshots, issues, or chat messages.
  • Do not share production keys in local test scripts.
  • Do not log full API keys.

Local Development

Use environment variables:

export CUSTODIAN_API_KEY="your_api_key_here"
export CUSTODIAN_API_BASE_URL="<your_api_base_url>"

Read the values from your application configuration instead of hard-coding them.

Production

Use your platform's secret storage, such as:

  • Vercel Environment Variables.
  • AWS Secrets Manager.
  • Google Secret Manager.
  • Azure Key Vault.
  • Kubernetes Secrets.

Only backend services should read the key.

If a Key Is Exposed

If a key appears in a public place or is sent to the wrong person:

  1. Stop using that key.
  2. Remove it from code, logs, screenshots, or messages where possible.
  3. Rotate or revoke the key.
  4. Update your backend environment with the new key.
  5. Check usage for unexpected activity.

Safer Backend Pattern

Frontend
-> Your backend endpoint
-> Custodian Labs API with X-API-Key
-> Your backend
-> Frontend

This keeps the key away from the browser and lets your backend control validation, logging, retries, and rate handling.

Next Steps