How To Hide Your Source Codes API Key From GitHub

It’s been a long and exciting road of learning how to code. I started my journey years ago trying to teach myself how to program in the python programming language and a few other web development stacks. I started to feel stuck, slowed down by my own inhibitions and in need of some direction and help.

This block in the proverbial road led me to Flatiron School for Software Engineering. I have finally gotten to and completed my first portfolio project that I titled PreFlight Weather. It is a phase 1 CLI project done in the Ruby programming language; one of my favorites next to python. In this CLI program the user or pilot is able to check the weather using what’s called a METARs or METeorological Aerodrome Reports. All of this is being pulled by an API.

This particular API did use a key, even though one was not required to complete the project, in which I was cautioned to hide my API Key when uploading it to my GitHub account/repository. The goal of this post is to help you hide your API Keys as well when you upload your projects to your GitHub.

Setting Up Your Environment

For this basic tutorial I’ll be using VSCode and all you have to do is create a simple directory and call it “hide”. To open your terminal inside VSCode press ‘ctrl + ~’. From your terminal type in ‘mkdir hide’ and cd into that directory. Once you are in your new empty directory, go ahead and create a ‘run’ file by typing in ‘touch run’ and then a readme file by typing in ‘touch’.

Learning To Be A Ninja

Next, in your terminal type ‘git init’ to initialize it as a GitHub file and turns all of our files green which tells us that they have not yet been pushed to GitHub. Once this has been done we can create another file called .gitignore ‘touch .gitignore’ and from within this file we can add other files within our hide directory to be hidden. For example, if we typed run inside the .gitignore we can see that the run file has changed in color from green to grey. Now we can do this with any file that is within our directory and this is where we can hid our API Key file.

An Environment To Envy

Now we can download a really awesome tool that will help us load environment variables like the API Key we want to hide. This will make things a lot easier than just saving and hiding it in a simple file and variable. You can read more about that here.

This has to be one of my favorite tools to use - the dotenv gem. This tool allows you to define and create an environmental variable that we can use to hide in a file from GitHub. So everyone who will be downloading and playing with your program will have to create their own file on there own computer in order to use it. Your readme file should have some information in it letting everyone know how to set this up and use your program. Check out my projects readme file here as an example.

To install the dotenv gem you simply have to type in your terminal ‘gem install dotenv’. Once it’s installed you will need to create another file called .env ‘touch .env’. (More on that in a bit.) Now in your run.rb file you’ll want to add require ‘dotenv/load’ at the top of your file.

Next you can go to your .gitignore file and make sure that your .env file is hidden from GitHub by typing the file name into the file. Now we can declare a variable in the .env file that will hold our API Key. Now the syntax is kind of specific and will want to make ours very similar and it looks like this API_KEY=YOURSECRETKEYGOESHERE. You’ll just want to make sure you enter in your API Key after declaring it with no spaces. If you’re not sure always double check the dotenv documentation.

To call your variable go to your run.rb file and add ‘puts ENV[“API_KEY”]’. By running the program it should display your API Key. Now you can see how this can be used in your own API program. By hiding the .env file that holds your API variable and key in the .gitignore, Github will not see those hidden files. Now no one… err, bot will find your API Key to exploit it.

From here you can finish saving and pushing your project and files to GitHub all while feeling secure that your key is safe and hidden. One great thing is that GitHub will not even push your hidden files to your account; it stays safe on your personal or work computer.

Why We Go Into Ninja Mode

Giving out your API Key is like handing out your password and by giving this out will allow people to do a lot of bad things with your account. Anything from losing money, changing data, and info to being locked out of your server. We want to hide this from GitHub because some people thought it would be smart to create bots that would scour and crawl GitHub just for API Keys to exploit. Talk about a bad day, right?

How Someone Else Uses Your App

In order for others to use your app they will have to go to the same place you got your API Key as you did, set up an account and get their very own key. Once they have their key they can create their own .env file and add the key to a variable.

All in all, I feel confident that this method in hiding your files from GitHub will help you keep your files, keys and secret information hidden. Dotenv is an ineradicable tool that is powerful enough to get the job done and is easy for anyone to use. By hiding your .env file within the .gitignore file insures your success in hiding those delicate files and information.

A Beginner blogger who loves to program and fly drones. Maybe one day to be a pilot and combine my two loves.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store