Security and API Key Handling
API keys are sensitive credentials. Do not put real keys in public docs, GitHub, screenshots, or chats.
1. Correct practice
- Public docs use placeholders such as
your_synterolink_key. - Local terminals use environment variables.
- Team projects use
.envand add it to.gitignore. - CI/CD uses platform secrets.
- Rotate keys immediately after leakage or role changes.
2. Local environment variables
export OPENAI_API_KEY="your_synterolink_key"
export ANTHROPIC_AUTH_TOKEN="your_synterolink_key"3. .env example
OPENAI_API_KEY=your_synterolink_key
ANTHROPIC_AUTH_TOKEN=your_synterolink_keyDo not commit .env.
4. Git ignore
.env
.env.*
*.local5. Team management
| Scenario | Recommendation |
|---|---|
| Personal testing | Personal key with limited permissions |
| Team sharing | Team key with limited scope |
| Production service | Dedicated production key with quota control |
| Leakage | Disable the old key and issue a new one |
6. Pre-publish check
grep -R "sk-" .If a real key is found, remove it, rotate the key, and redeploy.