Troubleshooting

API Key Security Usage Checklist

Avoid LLM API Keys from appearing in Git repositories, web front-ends, screenshots, and public logs, and establish independent tokens, permission isolation, usage monitoring, rotation, and leakage disposal processes.

Updated on 2026-07-12Checked 2026-07-12Estimated reading time: 6 minutesApplicable to server-side API Key management
Configuration fields were checked against public documentation. Models, prices, and capabilities can change; verify current values in the console and live API responses.

API Key is equivalent to calling permission. As long as the key is still valid, someone who gets hold of it may be able to drain balances, access open models, or make unusual requests. Security configuration cannot rely solely on "the repository is private".

Check before you start

Create independent keys for each device, project and environment:

local-development
cursor-personal
staging-service
production-service

Avoid using the same Key for local tools, servers, and multiple members at the same time.

Configuration steps

Use environment variables

export AIFAST_API_KEY="yours_API_Key"

The code only reads the variables:

import os

api_key = os.environ["AIFAST_API_KEY"]

Exclude local configuration files

.env
.env.*
!.env.example

.env.example Keep only variable names:

AIFAST_API_KEY=

Log desensitization

At most a few characters at the end are displayed in the log to distinguish the Key, for example:

key=***7f3a

Do not log full request headers and do not print environment variables in the exception stack.

FAQ

The Key has been submitted to Git, is it enough to delete the file?

Not enough. Historical commits may still retain keys. The first step should be to immediately revoke the old key and create a new one, and then clean up the history.

Can the Key be placed on the front end of the web page?

No. JavaScript in the browser, network requests, and Source Maps may all be viewed by the user. The front end should call your own server, and the server will save and use the Key.

Is it safe to cover part of the screenshot when taking a screenshot?

Try not to let the complete key enter the screenshot process. Blocking out just the middle may still reveal enough information, especially if an unprocessed version remains in the original image, clipboard, or cloud sync.

Next step

Regularly check usage abnormalities, set minimum permissions and acceptable quotas for production keys, and retain the "one-click undo and replace" operation process.

Source checked

Reference and Check Sources

Next step

Check the model and price first, then create an independent test Key

The model ID, open status and price will change; it will be added to production after passing small-scale verification.

Model PricingCreate Account View API documentation