How to beginner · 3 min read

API key security for LLM apps

Quick answer
Secure your API key for LLM apps by never hardcoding it in source code and always loading it from environment variables like os.environ. Use least privilege principles by restricting key permissions and rotate keys regularly to minimize risk.

PREREQUISITES

  • Python 3.8+
  • OpenAI API key (free tier works)
  • pip install openai>=1.0

Setup environment variables

Store your API key securely using environment variables instead of hardcoding it in your codebase. This prevents accidental exposure in public repositories or logs.

Use a .env file locally with tools like python-dotenv or configure environment variables directly in your deployment environment.

bash
pip install python-dotenv
output 
Collecting python-dotenv
  Downloading python_dotenv-1.0.0-py3-none-any.whl (18 kB)
Installing collected packages: python-dotenv
Successfully installed python-dotenv-1.0.0

Step by step example

Load your API key from environment variables and use it securely with the OpenAI SDK. Avoid printing or logging the key.

python
import os
from openai import OpenAI

# Load API key from environment variable
api_key = os.environ["OPENAI_API_KEY"]

client = OpenAI(api_key=api_key)

response = client.chat.completions.create(
    model="gpt-4o-mini",
    messages=[{"role": "user", "content": "Hello, secure world!"}]
)

print(response.choices[0].message.content)
output 
Hello, secure world!

Common variations

For asynchronous applications, use async SDK methods and ensure environment variables are loaded before runtime.

Use restricted API keys with minimal permissions and IP whitelisting when supported by your provider.

Rotate keys regularly and revoke compromised keys immediately.

python
import os
import asyncio
from openai import OpenAI

async def main():
    client = OpenAI(api_key=os.environ["OPENAI_API_KEY"])
    response = await client.chat.completions.create(
        model="gpt-4o-mini",
        messages=[{"role": "user", "content": "Async secure call"}]
    )
    print(response.choices[0].message.content)

asyncio.run(main())
output 
Async secure call

Troubleshooting common issues

  • Missing API key error: Ensure OPENAI_API_KEY is set in your environment before running your app.
  • Key exposure: Check your version control history and logs for accidental key leaks and rotate keys if found.
  • Permission denied: Verify your API key has the correct scopes and is not restricted beyond your app's needs.

Key Takeaways

  • Never hardcode API keys; always load from environment variables like os.environ.
  • Apply least privilege by restricting API key permissions and IP addresses when possible.
  • Rotate API keys regularly and revoke compromised keys immediately.
  • Avoid logging or exposing API keys in error messages or version control.
  • Use secure secret management tools for production deployments.
Verified 2026-04 · gpt-4o-mini
Verify ↗

People also ask

🛠 AI coding security concerns AI Coding Assistants 🛠 AI security compliance frameworks ai-security 🛠 AI security threats overview ai-security ⚖️ AI security vs traditional software security ai-security 🛠 How to audit LLM application security ai-security

Up next

🛠 How to audit LLM application security 🛠 How to detect jailbreak attempts 🐛 How to handle PII in LLM applications 🐛 How to prevent prompt injection

More in Guides

🛠 AI security compliance frameworks 🛠 AI security threats overview 🛠 How to audit LLM application security 🛠 How to detect jailbreak attempts