Keep your API key secure
Your API key gives full access to your LTX account — treat it like a password. Store it securely, keep it out of your code, and rotate it regularly to reduce the risk of unauthorized access.
Don't commit keys to version control
Never commit your API key to version control (like Git). Once a key is in your repository history, it can be discovered by automated bots that scan for exposed credentials — even if you delete it later.
Add your key file to a .gitignore file to prevent it from ever being committed to your repository.
Don't hardcode keys in client-side code
Client-side code runs in users' browsers, where anyone can inspect it. Never put your API key directly in JavaScript, HTML, or any frontend code. Route API calls through your own backend server instead — your server makes authenticated requests to LTX on behalf of your users, keeping the key hidden.
Store it as an environment variable
Keep your key out of your codebase entirely by storing it as an environment variable. See Create an API key for guidance on how to do this.
Rotate keys regularly
Generate a fresh API key every few months and revoke the old one. This limits your exposure if a key is ever compromised. If you suspect a key has been exposed, rotate it immediately.
Monitor usage
Keep an eye on your account for unusual activity — unexpected usage spikes or unfamiliar request patterns can signal a compromised key. If you notice anything suspicious, rotate your key straight away.