ByteTools Logo

How to Secure Your OpenAI API Keys

8 min readSecurity Guide

The $100,000 mistake developers keep making—and how to prevent it

In January 2024, a developer accidentally committed an OpenAI API key to a public GitHub repository. Within 4 hours, automated scrapers discovered the key and racked up $87,000 in fraudulent API charges. This nightmare scenario happens dozens of times per week—but it's completely preventable.

⚠️ The 4-Hour Attack Window

Automated bots scan GitHub commits every 60 seconds looking for exposed API keys. Once they find yours:

  1. 0-15 minutes: Bot validates the key is active
  2. 15-60 minutes: Begins low-volume testing to avoid detection
  3. 1-4 hours: Full-scale attack with maximum token generation
  4. 4+ hours: You wake up to a five-figure OpenAI bill

Average detection time: 11 hours. Average fraudulent charges: $23,000.

1. Never Hardcode API Keys

The #1 cause of API key leaks: developers hardcoding keys directly in source code.

❌ NEVER DO THIS

// config.ts export const OPENAI_API_KEY = "sk-proj-abc123def456..."; // main.ts const openai = new OpenAI({ apiKey: "sk-proj-xyz789..." });

✅ ALWAYS DO THIS

// .env (gitignored) OPENAI_API_KEY=sk-proj-abc123... // main.ts const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY });

2. Set Spending Limits Immediately

OpenAI allows you to set hard usage caps. Configure these BEFORE using your API key in production.

Recommended Spending Limits

DEV

$50-100/month hard cap

Alert at $40 (80% threshold)

STAGING

$200-500/month hard cap

Alert at $400 (80% threshold)

PROD

Based on projected usage + 50% buffer

Multiple alerts: 50%, 80%, 95%

Configure at: platform.openai.com/settings/organization/limits

3. Enable GitHub Secret Scanning

GitHub automatically scans for exposed secrets in public repositories. Enable it for private repos too.

Enable Secret Scanning

  1. Go to your repository → Settings → Code security
  2. Enable "Secret scanning"
  3. Enable "Push protection" (blocks commits with secrets)
  4. Add .env to .gitignore
  5. Use git-secrets or TruffleHog locally

4. Rotate Keys Every 90 Days

Regular key rotation limits the window of exposure if a key is compromised without your knowledge.

// Automated key rotation workflow // 1. Generate new key in OpenAI dashboard // 2. Update in secrets manager // 3. Deploy new key to all environments // 4. Monitor for 24 hours // 5. Revoke old key // Example: AWS Secrets Manager rotation aws secretsmanager rotate-secret \ --secret-id prod/openai/api-key \ --rotation-lambda-arn arn:aws:lambda:...

Emergency Response Plan

🚨 If Your Key Is Exposed

  1. Immediately revoke the key (platform.openai.com/api-keys)
  2. Generate a new key and update all environments
  3. Check usage logs for fraudulent activity (last 90 days)
  4. Contact OpenAI support to dispute fraudulent charges
  5. Review all repositories for other exposed secrets
  6. Post-mortem: Document how exposure occurred and implement prevention

Protect Your AI Infrastructure

Use ByteTools' privacy-first AI Studio to develop securely without exposing sensitive data.

Token Calculator

Estimate costs before deploying

Prompt Designer

Test prompts locally before API calls

Read Complete AI Security Guide