How to Manage API Keys and Secrets Securely in Your SaaS

Why API Keys Get Leaked

Most leaks come from three places: hardcoded keys in source code, keys stored in environment variables that get printed in logs, and keys committed to public repositories. In 2023, researchers found over 10 million secrets exposed on GitHub alone. A single leaked AWS key can cost you $10,000 in minutes.

Common mistakes include:

• Putting keys in.env files that get pushed to GitHub.
• Storing keys in database columns without encryption.
• Using the same key for multiple services.

Use a Secrets Manager, Not Environment Variables

Environment variables are better than hardcoded strings, but they still leak easily. Logs, error messages, and debugging tools often print them. Instead, use a secrets manager like AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault. These tools encrypt keys at rest and in transit, audit access, and support automatic rotation.

Example: In a Node.js app, fetch the key at startup and cache it in memory. Do not write it to disk or pass it to subprocesses. Use IAM roles or service accounts to authenticate the app to the secrets manager.

Rotate Keys on a Schedule

Rotation limits the damage of a leak. If a key is compromised, an attacker can only use it until the next rotation. Set a rotation policy: every 90 days for long-lived keys, every 24 hours for high-risk keys. Automate rotation so no one has to remember.

For example, in AWS Secrets Manager, you can enable automatic rotation with a Lambda function that generates a new key and updates the dependent services. Test the rotation in a staging environment first.

Use Short-Lived Tokens and Scoped Permissions

Prefer temporary credentials over static keys. For example, use AWS STS to generate tokens that expire in 15 minutes. For internal services, use OAuth2 client credentials with a limited scope and expiration.

Each key should have the minimum permissions needed. If an integration only needs read access to one endpoint, create a key with exactly that scope. Avoid giving blanket admin access. Review permissions quarterly.

Detect and Respond to Leaks Quickly

Monitor for exposed keys using tools like GitLeaks or GitHub secret scanning. Set up alerts when a key appears in a public repository or in logs. Have a runbook ready: revoke the key immediately, rotate it, and audit usage for unauthorized activity.

Example: If you use GitHub, enable push protection for secret scanning. It blocks commits that contain known patterns like AWS keys or Slack tokens.

Audit Key Usage and Access

Log every API call that uses a key. Track which key, which service, what action, and the timestamp. Use this data to detect anomalies, like a key making calls from an unusual IP or at odd hours. Store logs in a central SIEM or at least in S3 with encryption.

Generate monthly reports of active keys, last used date, and permissions. Revoke keys that have not been used in 90 days.

Test Your Secrets Management with Automated Security Tools

Manual reviews miss leaks. Run automated scans that check your codebase, configuration files, and runtime environment for exposed secrets. Integrate these scans into your CI/CD pipeline so no build goes out with a hardcoded key.

For a more thorough test, use a tool like Kyro. Kyro is an AI penetration tester for SaaS. You point it at your app URL, it continuously hunts for real, reproducible vulnerabilities including leaked secrets and broken access control. It reproduces each finding before alerting, and emails you. Pay as you go, free credits to start. Start a free scan.