API Key is equivalent to calling permission. As long as the key is still valid, someone who gets hold of it may be able to drain balances, access open models, or make unusual requests. Security configuration cannot rely solely on "the repository is private".
Check before you start
Create independent keys for each device, project and environment:
local-development
cursor-personal
staging-service
production-service
Avoid using the same Key for local tools, servers, and multiple members at the same time.
Configuration steps
Use environment variables
export AIFAST_API_KEY="yours_API_Key"
The code only reads the variables:
import os
api_key = os.environ["AIFAST_API_KEY"]
Exclude local configuration files
.env
.env.*
!.env.example
.env.example Keep only variable names:
AIFAST_API_KEY=
Log desensitization
At most a few characters at the end are displayed in the log to distinguish the Key, for example:
key=***7f3a
Do not log full request headers and do not print environment variables in the exception stack.
FAQ
The Key has been submitted to Git, is it enough to delete the file?
Not enough. Historical commits may still retain keys. The first step should be to immediately revoke the old key and create a new one, and then clean up the history.
Can the Key be placed on the front end of the web page?
No. JavaScript in the browser, network requests, and Source Maps may all be viewed by the user. The front end should call your own server, and the server will save and use the Key.
Is it safe to cover part of the screenshot when taking a screenshot?
Try not to let the complete key enter the screenshot process. Blocking out just the middle may still reveal enough information, especially if an unprocessed version remains in the original image, clipboard, or cloud sync.
Next step
Regularly check usage abnormalities, set minimum permissions and acceptable quotas for production keys, and retain the "one-click undo and replace" operation process.