How to Hide API Keys in Python: Stop Leaking Secrets to GitHub

 

Whether you are building a data pipeline in Airflow or a simple AI bot, you should never hard-code your API keys directly in your Python script. If you push that code to a public repository, hackers will find it in seconds using automated scanners.

Here is the professional way to handle secrets using Environment Variables and .env files.

1. The Tool: python-dotenv

The industry standard for managing local secrets is a library called python-dotenv. It allows you to store your keys in a separate file that never gets uploaded to the internet.

Install it via terminal:

pip install python-dotenv

2. Create your .env File

In your project’s root folder, create a new file named exactly .env. Inside, add your secrets like this:

# .env file

DATABASE_URL=postgres://user:password@localhost:5432/mydb

OPENAI_API_KEY=sk-your-secret-key-here

AWS_SECRET_ACCESS_KEY=your-aws-key

3. Access Secrets in Python

Now, you can load these variables into your script without ever typing the actual key in your code.

import os

from dotenv import load_dotenv

# Load the variables from .env into the system environment

load_dotenv()

# Access them using os.getenv

api_key = os.getenv("OPENAI_API_KEY")

db_url = os.getenv("DATABASE_URL")

print(f"Successfully connected to the database!")

4. The Most Important Step: .gitignore

This is where the "Security" part happens. You must tell Git to ignore your .env file so it never leaves your computer.

Create a file named .gitignore and add this line:

.env

Why this is a "DevSecOps" Win:

• Security: Your keys stay on your machine.

• Flexibility: You can use different keys for "Development" and "Production" without changing a single line of code.

• Collaboration: Your teammates can create their own local .env files with their own credentials.