How to Safely Share API Keys and Secrets with Your Team

If you write code professionally, you have almost certainly needed to share API keys, secret keys, database passwords, or server credentials with a teammate. The question is how to do it without creating a security vulnerability in the process.

Dangerous Sharing Methods

Let us start with what you should never do. Surprisingly, many development teams still rely on these approaches.

1. Committing to Git

Committing .env files to a Git repository is the most common and most dangerous mistake.

# Never do this
git add .env
git commit -m "add env variables"
git push origin main

Once a secret enters Git history, deleting it with git rm does not erase it from the history. On public repositories, automated bots detect exposed secrets within seconds.

2. Pasting in Slack or Discord

Pasting API keys directly into a messaging channel is equally risky.

• Everyone with channel access can see it
• Message search makes it discoverable later
• The message persists even after an employee leaves
• Slack workspace admins can read all messages including DMs

3. Sending via Email

Email is not encrypted by default. Messages can be intercepted in transit between mail servers, and credentials remain permanently in the recipient's inbox.

The Real Cost of API Key Leaks

An API key leak is not just a security incident. It translates directly into financial damage.

AWS Key Leak Examples

Incident	Damage
Individual developer AWS key exposed	$6,000 charged overnight
Startup public GitHub repository	Over $50,000 charged in 3 days
Enterprise internal wiki leak	Multi-million dollar data breach

When cloud service keys from AWS, GCP, or Azure are leaked, attackers spin up massive compute resources within minutes, typically for cryptocurrency mining.

Other Consequences

• Payment API key leak -> fraudulent charges
• Email API key leak -> mass spam distribution
• Database credentials leak -> customer data theft

Safe Ways to Share API Keys

Method 1: LOCK.PUB Secret Memo (Instant Sharing)

This is the most practical approach when you need to hand off keys to a teammate right now.

Workflow:

1. Create a secret memo on LOCK.PUB
2. Enter the API key and any relevant context
3. Set a password and a short expiration time (e.g., 1 hour)
4. Send the link via Slack and the password via a separate DM

# Example secret memo content
AWS_ACCESS_KEY_ID=AKIA...
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI...
AWS_REGION=us-east-1

Note: These keys are for the staging environment only.
Request production keys separately.

Advantages:

• Auto-deletes after the expiration time
• Requires a password to view
• Stored encrypted on the server
• No raw keys left in Slack history

Method 2: Secret Management Tools (Team-Wide)

As teams grow, dedicated secret management tools become essential.

Tool	Strength	Best For
HashiCorp Vault	Most powerful secret management	Large enterprises
AWS Secrets Manager	AWS ecosystem integration	AWS-centric infrastructure
1Password Teams	Developer-friendly UI	Startups, small teams
Doppler	Automatic env var syncing	DevOps-focused teams

Method 3: Environment Variable Management (.env.example Pattern)

Including a .env.example file in your project is standard practice.

# .env.example (committed to Git)
DATABASE_URL=
API_KEY=
SECRET_KEY=
STRIPE_SECRET=

# .env (never committed to Git)
DATABASE_URL=postgresql://user:pass@host:5432/db
API_KEY=sk-abc123...
SECRET_KEY=mysecret...
STRIPE_SECRET=sk_live_...

Always add .env to your .gitignore.

# .gitignore
.env
.env.local
.env.production

Secret Management Best Practices

1. Rotate Keys Regularly

API keys should be rotated on a regular schedule. This limits the damage window if a key is compromised.

Key Type	Recommended Rotation
Production API keys	90 days
Database passwords	60 days
Service tokens	30 days
Dev/test keys	Immediately when someone leaves

2. Use Separate Keys Per Environment

Use different keys for development, staging, and production environments.

# Good
DEV_API_KEY=sk-dev-xxx
STAGING_API_KEY=sk-staging-xxx
PROD_API_KEY=sk-prod-xxx

# Bad - same key for all environments
API_KEY=sk-same-key-for-all

3. Apply the Principle of Least Privilege

Grant only the minimum necessary permissions to each API key.

• Use read-only keys for read-only operations
• Issue keys scoped to specific services
• Restrict admin keys to the smallest possible group

4. Automate Leak Detection

Use tools like GitHub Secret Scanning, GitGuardian, or TruffleHog to automatically detect secrets committed to code repositories.

# Add secret scanning as a pre-commit hook
# .pre-commit-config.yaml
repos:
  - repo: https://github.com/Yelp/detect-secrets
    hooks:
      - id: detect-secrets

Quick Sharing Workflows with LOCK.PUB

Here are workflow templates for the most common scenarios in development teams.

New Team Member Onboarding

When a new developer joins, deliver all required environment variables at once.

1. Compile all environment variables in a secret memo
2. Set a 24-hour expiration
3. Share the link and password
4. The memo auto-expires after the team member confirms receipt

Sharing Keys with External Partners

Sharing API keys with external vendors requires extra caution.

1. Issue a dedicated key specifically for that partner
2. Deliver via secret memo with a short expiration
3. Instruct the partner to store the key in their own secret management tool
4. Revoke the key when the engagement ends

Emergency Key Sharing During Incidents

When a server is down and another team member needs access urgently.

1. Create a secret memo with a 1-hour expiration
2. Communicate the password by phone and send the link via messenger
3. Rotate the shared key after the incident is resolved

Wrapping Up

API key and secret management is fundamental to development security. Pasting keys in Slack or sending them via email might feel convenient, but a single leak can cost thousands or even millions. Build the habit of sharing secrets securely from day one.

If you need to share a key with a teammate right now, try using a secret memo.

Create a Secret Memo ->