Skip to content
Skappa
Security

API Keys

Store and manage API keys securely. Use the integrations system, environment variables, and server-side routes to keep credentials safe.

API keys grant access to third-party services like OpenAI, Stripe, and databases. Exposed keys can lead to unauthorized usage, unexpected bills, and data breaches. This guide explains how to store, use, and rotate API keys securely in Skappa.

Why API Key Security Matters

A leaked API key can be exploited within seconds. Automated bots scan public repositories and client-side JavaScript for exposed credentials. The consequences range from unexpected charges on your account to unauthorized access to your users' data. Never hardcode API keys in your source code, even in private repositories.

The Integrations System

Skappa's integration system manages credentials for 40+ services. When you add an integration from the Integrations panel, Skappa securely stores the API key and makes it available to your app through environment variables. Supported integrations include OpenAI, Anthropic, Stripe, Resend, Twilio, and many more. This is the recommended approach for any service in the integrations catalog.

Manual Key Storage

For services not in the integrations catalog, store keys as environment variables in your project settings:

# In Skappa project settings > Environment
MY_API_KEY=your-secret-key-here

# Access in server-side code only
const apiKey = process.env.MY_API_KEY

Never use the NEXT_PUBLIC_ prefix for secret keys. Variables with this prefix are embedded in the client-side JavaScript bundle and visible to anyone who visits your site.

Server-Side API Routes

Always route third-party API calls through your own server-side API routes. This keeps your keys hidden from the browser:

// app/api/generate/route.ts (server-side)
export async function POST(request: Request) {
  const { prompt } = await request.json()
  const response = await fetch('https://api.openai.com/v1/...', {
    headers: {
      Authorization: `Bearer ${process.env.OPENAI_API_KEY}`,
    },
    body: JSON.stringify({ prompt }),
  })
  return Response.json(await response.json())
}

Key Rotation

  • Rotate API keys periodically — at least every 90 days for sensitive services.
  • If you suspect a leak, rotate immediately and revoke the old key at the provider.
  • Update the environment variable in Skappa settings and redeploy to apply the new key.

Tip: Skappa's integration panel shows which API keys are configured and when they were last updated. Use this as a quick reference to ensure all your credentials are current.

Still have questions?

Join our Discord community or submit feedback to get help.

Join DiscordSubmit Feedback