Keeping your API key secure
Your API key is like a password to your LTX-2 account. To protect it, store it in environment variables, never commit it to version control, and rotate it periodically. These practices keep your key out of the wrong hands and prevent unauthorized charges to your account.
Don't commit keys to version control
Version control systems help you track changes to your code and collaborate with other developers. However, these systems are designed to share code, which means anything you commit can potentially be seen by collaborators or, in public repositories, anyone on the internet.
Never commit your API key to version control. Once a key is in your repository history, it can be discovered by automated bots that scan for exposed credentials, even if you delete it later.
Example: Using Git
If you're using Git (a popular version control system), you can prevent API keys from being committed by adding them to a .gitignore file. This tells Git to completely ignore specific files, keeping them out of your repository from the start.
Skip client-side code
Client-side code runs in users' browsers, where anyone can inspect it using developer tools. Never hardcode your API key directly in JavaScript, HTML, or any frontend code that gets delivered to the browser.
Instead, route your API calls through your own backend server. Your server can store the key securely and make authenticated requests to LTX-2 on behalf of your users, keeping the key completely hidden from public view.
Use environment variables
Environment variables let you store sensitive information, such as API keys, outside your code files. Instead of writing your key directly into your application code, you reference it through a variable that gets loaded when your app runs.
This keeps your credentials separate from your codebase and makes managing keys across different environments (development, staging, production) much simpler. Our authentication documentation covers setup details and best practices for implementation.
Rotate keys regularly
Generate fresh API keys every few months and revoke old ones in your console. This limits your exposure if a key ever gets compromised. If you suspect a key has been exposed, rotate it immediately.
You can create a new API key at any time through your account. Set calendar reminders to make key rotation part of your regular security routine.
Monitor usage patterns
Keep an eye on your LTX account dashboard for unusual activity. Unexpected usage spikes, requests from unfamiliar locations, or odd timing patterns can signal that your key has been compromised.
If you notice anything suspicious, rotate your key right away and review your recent activity to understand what happened.