Setting Up API Keys Securely: A Step-by-Step Guide

Your API key is a master password. Treat it like one.

Every major LLM provider requires an API key. Managing these keys safely is the difference between a secure AI workflow and a compromised account. This guide walks through best practices for Anthropic, OpenAI, Google, and DeepSeek.

The Threat Model

API keys for LLM providers are bearer tokens. Anyone with your key can:

  • Send requests billed to your account
  • Access fine-tuned models you have trained
  • In some cases, view billing history or organization membership

Leaked keys are sold on dark web markets within hours. OpenAI and Anthropic both report thousands of compromised keys monthly.

Provider-Specific Setup

Anthropic

  1. Go to console.anthropic.com → Settings → API Keys
  2. Create a key with a descriptive name (e.g., "aiworkbench-dev-march-2026")
  3. Set a spending cap. Anthropic allows monthly spend limits. Set this to 2× your expected usage.
  4. Copy the key starting with sk-ant- and paste it into AIWorkbench.dev's Anthropic key input.

OpenAI

  1. Go to platform.openai.com → API Keys
  2. Create a project-scoped key, not an organization-wide key. Project keys can be revoked without affecting other integrations.
  3. Enable usage limits at the project level. OpenAI supports both hard limits (requests stop) and soft limits (email alerts).
  4. Copy the key starting with sk-proj- or sk- and paste it into the workbench.

Google Gemini

  1. Go to aistudio.google.com → Get API Key
  2. Google uses API keys tied to a Google Cloud project, not personal accounts. Create a dedicated project for AIWorkbench.dev.
  3. Set quota limits in the Google Cloud Console under APIs & Services → Gemini API → Quotas.
  4. Copy the key and paste it into the workbench.

DeepSeek

  1. Go to platform.deepseek.com → API Keys
  2. DeepSeek currently supports one active key per account. There is no project scoping.
  3. Set a balance alert in your account settings. DeepSeek is prepaid, so overspending is impossible — but running out of credits mid-session is frustrating.

Best Practices Across All Providers

1. Never Commit Keys to Git

Use environment variables or the workbench's browser-only storage. If you must store a key in a file, use .env and add it to .gitignore.

2. Rotate Keys Quarterly

Set a calendar reminder. Rotating keys takes 2 minutes and limits the blast radius of an undetected leak.

3. Use Separate Keys Per Environment

  • Development: Low spend cap, unrestricted model access
  • Production: High spend cap, restricted to specific models
  • Testing: Minimal cap, ephemeral key

4. Monitor Usage Dashboards

All providers show token usage by key. Anomalous spikes (10× normal usage) are the first sign of compromise.

Why AIWorkbench.dev Never Stores Keys Server-Side

The workbench stores your key in sessionStorage, which is cleared when the tab closes. There is no database, no backend, no log file containing your credentials. Even a complete breach of our static hosting (GitHub Pages / Vercel) would expose zero API keys.

Compare this to proxy-based AI tools, where your key is transmitted to their server on every request. Those servers have databases, logs, and employees with database access.

Key Takeaway

API key management is a supply-chain security problem. Scope your keys, cap your spend, rotate regularly, and never trust a tool that asks for your key unless you can verify it stays in your browser.