Body
This guide explains what API keys are, why they matter, and how to keep them safe. It’s written for people who may not have a technical background but work with systems, apps, or partners that use API keys. For more detailed, technical guidance on managing API keys, please refer to the attached "Securing Integrations That Use API Keys" document.
What is an API Key?
API Key Risks
General Guidelines
Handling API Keys Step by Step
Special Considerations
Checklist Before You Use an API Key
API Key Lifecycle at a Glance
Final Notes
Think of an API key like a password that one system uses to prove who it is when talking to another system. Unlike your personal login password, an API key usually belongs to an application or service, not a person. If someone steals it, they might gain access to important data or systems.
API keys can be misused if they’re not handled carefully. Some common problems include:
- Keys can accidentally be shared in code, documents, or emails.
- Keys can get copied into public websites, apps, or logs where anyone can see them.
- Keys that never expire can keep working long after they should have been replaced.
- If a key grants broad access to an application or data, it can be very damaging if stolen.
To keep API keys safe, remember:
- Keep them secret – never post them in code, email, or chat.
- Limit their power – keys should only have the minimum access needed.
- Set an expiration date – keys should be replaced regularly (about every 90 days).
- Watch for problems – unusual activity (like access from another country) may mean a key is stolen.
- Know the owner – every key should have a person or team responsible for it.
Creating and Tracking Keys
- Always create and store keys in an approved system (like a secure password manager, not a sticky note). Dartmouth-approved tools for credential management include Bitwarden and CyberArk.
- Record who owns the key, what it’s for, and when it expires.
Sharing Keys
- Never share one key across multiple systems. Each system should have its own.
- Don’t send keys through chat, email, or text messages.
Storing Keys
- Store them in a secure location (like a secrets manager or locked vault).
- Never include them in code or files that others can see.
Using Keys
- Always connect using HTTPS (the lock symbol in a browser).
- Put the key in the request header, not in the web address.
- Never expose private keys to browsers or public apps.
Replacing Keys (Rotation)
- Replace keys every 90 days or sooner if needed.
- Have a process ready to quickly replace a key if it gets stolen.
Monitoring & Responding
- Keep an eye on how and where keys are used.
- If you see unusual activity, revoke the key immediately and investigate.
- Public apps (like mobile or web apps)
- Don’t include private keys in these apps. If you must use one, restrict it so it only works from specific places.
- Partners and third-party apps
- Make sure they also follow these rules:
- Keys should expire
- Keys should be replaced regularly
- Keys should be protected
You can copy and paste this list to use as a general checklist for setting up API keys:
☐ Key is stored safely (not in code or files).
☐ Key has an owner (a person or team).
☐ Key has limited access (only what’s needed).
☐ Key has an expiration date (≤ 90 days).
☐ Monitoring is in place to detect unusual use.
☐ There’s a plan for replacing the key if needed.
This simple diagram shows the safe handling cycle for API keys (click on the image to see a full-size version):
API keys are powerful. Treat them like the keys to your office or home:
- Don’t hand them out carelessly.
- Change the locks if a key goes missing.
- Keep track of who has access.
By following these simple practices, you’ll help keep your organization’s data and systems safe.