API Keys & Access
API Keys & Access​
Keys are managed in Developer Console after Identity sign-in.
Until Developer Console is fully live, request onboarding via [email protected].
Key model​
- Separate keys by environment and workload.
- Apply least-privilege route scope.
- Rotate on a fixed cadence and on incident response.
Storage requirements​
- Store keys only in a secrets manager.
- Never commit keys to source control.
- Use short-lived deployment injection where possible.
Rotation workflow​
- Create new key.
- Deploy dual-key capable config.
- Shift traffic to new key.
- Revoke old key and validate no residual usage.
Deprecated
Long-lived shared keys across multiple systems are deprecated practice. Move to per-service scoped credentials.