How should I store API keys securely?

The safest approach is to use a dedicated encrypted storage tool. For your personal dev workflow, that means a tool like API Locker that encrypts each key with AES-256 behind a master password. For application-level secrets, use environment variables loaded from a .env file (in .gitignore) during development, and a secrets manager like AWS Secrets Manager or HashiCorp Vault in production.

Is it safe to store API keys in Notion?

No. Notion is a cloud document tool — your data is stored on Notion's servers and is accessible to anyone who gains access to your account, or to Notion employees with sufficient access. API keys stored in Notion are not encrypted at rest in a way that protects you from account compromise. Use an encrypted vault instead.

Can I store API keys in my browser's password manager?

You can, but it's not purpose-built for this. Browser password managers work for website logins, but they don't understand API provider dashboards, don't support multiple keys per provider with labels, and won't surface the right key when you visit an API dashboard. A dedicated API key manager solves the workflow problems that password managers don't.

What is the best way to store API keys in a Node.js project?

Use a .env file with the dotenv package, and add .env to .gitignore immediately. Access keys via process.env.YOUR_KEY_NAME in code. Never hardcode keys directly in source files. For production, use your hosting platform's environment variable management (Vercel, Railway, Render, etc.) rather than deploying a .env file.

How to Store API Keys Securely

Common Mistakes

Where Developers Store API Keys (and Shouldn't)

These storage approaches feel convenient. All of them create real security exposure.

📝

Plain text files on desktop

Keys.txt on your desktop. We've all done it. The problem: no encryption, shows up in file search results, gets accidentally synced to iCloud/Dropbox, and lives forever on backup drives. One compromised cloud sync = all your keys exposed.

📓

Notion or Google Docs

Feels organized. The problem: your keys live on someone else's server, unencrypted at the application level (the provider encrypts at infrastructure level, not per-user). Account compromise = key exposure. Also, many people share Notion workspaces with collaborators.

💬

Slack DMs to yourself

"I'll DM it to myself for easy access." The problem: Slack indexes and searches everything. Free plan Slack may expose messages. Workspace admins can access DMs. And that message will show up in search results for years.

📖

Browser bookmarks / notes

The browser URL bar stores keys if you ever pasted one there. Browser notes and bookmarks sync to cloud unencrypted. The problem: any browser extension with "read tab data" permissions can see your bookmarks. That's most ad blockers and productivity tools.

🔗

Git repositories (even private)

Private repos feel safe. The problem: git history is forever. A key committed even for one commit is in the history of every clone. If the repo ever becomes public — intentionally or not — that key is exposed. GitHub's secret scanning will find it.

📱

Screenshots in camera roll

Screenshotting an API key to copy it later. The problem: photos sync to iCloud/Google Photos automatically. Apple scans photos for content. And that screenshot will show up in "Recents" on every device on your account.

The Right Approach

How to Store API Keys Securely — The Correct Approaches

🔐

Encrypted vault (API Locker)

For your personal dev workflow — the keys you need when you're on an API dashboard, starting a new project, or rotating credentials. AES-256-GCM encrypted, zero cloud on the free plan, with smart site detection that surfaces the right key automatically.

🗂️

.env files + .gitignore

For per-project configuration. Use dotenv in Node.js, python-dotenv in Python, or your framework's built-in env loading. Always add .env to .gitignore before you create the file. Load keys via process.env.KEY_NAME, never hardcode them.

☁️

Platform secrets (production)

For deployed applications: use your hosting platform's native secrets management. Vercel environment variables, Railway secrets, AWS SSM Parameter Store, or HashiCorp Vault for complex infrastructure. These integrate with your CI/CD and never touch your local filesystem.

🏢

Team secrets managers

For team environments: 1Password Teams, Doppler, or Infisical. These handle access control (who can see what), audit logs, and sync across team members. Worth setting up once your team has more than 2-3 people sharing credentials.

Step by Step

Setting Up API Locker: A 5-Minute Walkthrough

For your personal dev workflow, this is the fastest path to secure, organized key storage.

Install API Locker from the Chrome Web Store

Takes 30 seconds. Click "Add to Chrome" on the Chrome Web Store page. No account required. The extension icon appears in your browser toolbar immediately.

Set your master password

On first open, you'll set a master password. This is the key that encrypts your entire vault. Write it down and store it somewhere safe — there's no recovery mechanism by design (zero-knowledge). Your password never leaves your device.

Add your first key

Click the + button, select the provider (e.g. OpenAI), give it a label (e.g. "Production — GPT-4 app"), paste the key, and optionally set an expiry date. The key is encrypted with AES-256-GCM and saved locally. It never touches a server in plaintext.

Visit an API dashboard — see the magic

Navigate to platform.openai.com. The API Locker icon will show a badge indicating it found matching keys. Open the popup — your OpenAI keys are listed. One click copies to clipboard. No searching, no tab switching.

Migrate your existing keys

Spend 20 minutes going through your old storage locations (Notion, text files, password manager) and moving keys into API Locker with proper labels. Once they're in, delete the old copies. One source of truth, encrypted and organized.

For Your Projects

The .env File Pattern — Done Right

API Locker handles your personal key vault. For per-project configuration, the .env pattern is still the right approach. Here's how to set it up correctly:

    # .env (never commit this file)

    OPENAI_API_KEY=sk-proj-your-key-here

    STRIPE_SECRET_KEY=sk_live_your-key-here

    GITHUB_TOKEN=ghp_your-token-here

    # .gitignore — add this on day ONE

    .env

    .env.local

    .env.*.local

    # Keep .env.example — it shows which keys are needed, without values

    !.env.example

    # .env.example (commit this — it documents what keys are needed)

    OPENAI_API_KEY=your-openai-key-here

    STRIPE_SECRET_KEY=your-stripe-key-here

    GITHUB_TOKEN=your-github-token-here

The workflow: API Locker holds your master copies. When you start a new project, you open API Locker, find the right key, and paste it into your .env file. The .env file is the project-specific deployment config. API Locker is where the actual key lives.

How to Store API Keys Securely
— A Practical Guide

Where Developers Store API Keys (and Shouldn't)

How to Store API Keys Securely — The Correct Approaches

Setting Up API Locker: A 5-Minute Walkthrough

The .env File Pattern — Done Right

Start Storing API Keys the Right Way

How to Store API Keys Securely— A Practical Guide

Where Developers Store API Keys (and Shouldn't)

How to Store API Keys Securely — The Correct Approaches

Setting Up API Locker: A 5-Minute Walkthrough

The .env File Pattern — Done Right

Related Guides

Start Storing API Keys the Right Way

How to Store API Keys Securely
— A Practical Guide