Keep your API key secure

Your API key gives full access to your LTX account — treat it like a password. Store it securely, keep it out of your code, and rotate it regularly to reduce the risk of unauthorized access.

Don't commit keys to version control

Never commit your API key to version control (like Git). Once a key is in your repository history, it can be discovered by automated bots that scan for exposed credentials — even if you delete it later.

Using Git?

Add your key file to a .gitignore file to prevent it from ever being committed to your repository.

Don't hardcode keys in client-side code

Client-side code runs in users' browsers, where anyone can inspect it. Never put your API key directly in JavaScript, HTML, or any frontend code. Route API calls through your own backend server instead — your server makes authenticated requests to LTX on behalf of your users, keeping the key hidden.

Store it as an environment variable

Keep your key out of your codebase entirely by storing it as an environment variable. See Create an API key for guidance on how to do this.

Rotate keys regularly

Generate a fresh API key every few months and revoke the old one. This limits your exposure if a key is ever compromised. If you suspect a key has been exposed, rotate it immediately.

Monitor usage

Keep an eye on your account for unusual activity — unexpected usage spikes or unfamiliar request patterns can signal a compromised key. If you notice anything suspicious, rotate your key straight away.

We'd love your feedback. Did this article help?