71 | Secret Things, Env Vars, How to Handle API Keys Correctly

In this episode, James shares common mistakes people make with their API Keys and explains the appropriate way to handle them.

Sponsors

Vercel

Vercel combines the best developer experience with an obsessive focus on end-user performance. Their platform enables frontend teams to do their best work. It is the best place to deploy any frontend app. Start by deploying with zero configuration to their global edge network. Scale dynamically to millions of pages without breaking a sweat.

For more information, visit Vercel.com

ZEAL is hiring!

ZEAL is a computer software agency that delivers “the world’s most zealous” and custom solutions. The company plans and develops web and mobile applications that consistently help clients draw in customers, foster engagement, scale technologies, and ensure delivery.

ZEAL believes that a business is “only as strong as” its team and cares about culture, values, a transparent process, leveling up, giving back, and providing excellent equipment. The company has staffers distributed throughout the United States, and as it continues to grow, ZEAL looks for collaborative, object-oriented, and organized individuals to apply for open roles.

For more information visit softwareresidency.com/careers

DatoCMS

DatoCMS is a complete and performant headless CMS built to offer the best developer experience and user-friendliness in the market. It features a rich, CDN-powered GraphQL API (with realtime updates!), a super-flexible way to handle dynamic layouts and structured content, and best-in-class image/video support, with progressive/LQIP image loading out-of-the-box."

For more information, visit datocms.com

Show Notes

• 0:00 Introduction
  • YouTube Video RE: Mistakes People Make with API Keys
• 6:42 API Keys
• 7:37 Where do API Keys come from?
• 8:57 Mistakes People Make with API Keys
• 9:10 Mistake #1: Hard Coding the API Key Value
• 11:45 Sponsor: Vercel
• 12:53 Mistake #2: Adding an API Key to the .env file, but still exposing the key
• 16:20 Mistake #3: Committing Your Key to Source Control
• 17:59 What should you do about a leaked API key?
• 19:38 Using .gitignore
• 21:20 The Best Way to Handle Secrets
• 22:57 Serverless Functions
  • Episode 57 - Authentication and Authorization and other Buzz Words
• 29:55 Sponsor: ZEAL
• 30:41 Where would you put a Bearer Token?
• 31:40 Server Side Rendering
• 33:49 Public API Keys
• 37:20 Sponsor: DatoCMS
• 38:13 Grab Bag Questions
• 38:24 What's the best way to share environmental variables across different machines?
• 38:35 What are the pros and cons of system environmental variables vs a KMS (Key Management System)?
• 40:34 Picks and Plugs
• 40:44 James's Pick: Sketcher's Tennis Shoes from Costco
• 44:54 James's Plug: YouTube Video - 10 Things JavaScript Developers Have Stopped Doing
• 45:26 Amy's Picks: James Clear 3-2-1 Newsletter
  • Atomic Habits, by James Clear
• 46:14 Amy's Pick: Keystone.js on Level Up Tutorials