API Keys and Credentials: A Specific Hazard
This is a member-only chapter. Log in with your Signal Over Noise membership email to continue.
Log in to readModule 3 · Section 6 of 7
API Keys and Credentials: A Specific Hazard
For developers and anyone who uses AI via API access rather than the chat interface, credentials present a specific, quantifiable risk. In 2024 alone, 39 million API keys and credentials were exposed on GitHub. Over 50,000 publicly leaked OpenAI API keys appeared on GitHub in that period.
The consequences are direct: an attacker with your OpenAI API key can run queries charged to your account, consuming your credits or running up charges. More seriously, API keys often come with the same permissions as the user who created them — meaning a compromised key can expose anything that key has access to.
A researcher at GitGuardian found that tools to scan GitHub for available OpenAI API keys can complete the scan in under two minutes. If you have ever committed a configuration file containing an API key to a repository, even briefly before deleting it, that key has likely been seen.
Specific rules for API key management are in Module 4’s checklist. The conceptual point: treat API keys as credentials equivalent to passwords. They should not appear in code repositories, chat messages, or any publicly visible file.