Secrets Management: Common Examples of Secrets and Best-Practices

Secrets – in the context of development – are sensitive information that grants privileged access to systems, data or services. And because of this importance that they have, is crucial management them properly. Secret management involves storing, accessing, and using secrets in a security and efficient way. If these secrets are exposed, unauthorized individuals can access sensitive information, and consequently modify, copy, delete or corrupt it.

When a secret is leaked, the financial losses can be significant. For example:

A bank has to management an enormous amount of data – like accounts IDs, transactions, passwords, etc. - and for that, this data is stored in a database. What will happen if the database password is leaked and an unauthorized individual – unhappy about the bank’s service – corrupts the data. The bank probably has a backup, but the downtime will be at the level of days, and the bank would likely lose its customers' trust.

---

Common Examples of Secrets

API Key

API keys are strings used to identify and authenticate an application or user when accessing an external service. When you use any application that needs to communicate with external services – like ChatGPT, GoogleMaps or Instagram – you need to be authenticated by the API by using an API Key.

Anyone that possesses the API key can make requests in your name – potentially generating costs or abusing the service.

Example of an API Key:

AI_API_KEY=sk-1a2b3c4d5e6f7g8h9i0j

Database Credentials

If a database credential is leaked, attackers can read or delete your database content.

Example of a Database Credential:

DB_USER=admin
DB_PASSWORD=SuperSecret123

Access Token

Imagine having to log in with your username and password every time you used a social media app. That would quickly become annoying. And to avoid this, we have access tokens.

After you log in with your username and password, an access token is generated. This token serves as proof that you know the credentials, than the next time you access the account the server will not require your credentials again, instead of that, the server will require the access token. And here is the key point: anyone who has the token can access your account.

Example of Access Token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Cloud Credentials

The individual that has the cloud credentials can copy, modify, delete, or corrupt the data stored in the cloud.

Example of Cloud Credentials:

AWS_ACCESS_KEY_ID=key123
AWS_SECRET_ACCESS_KEY=secretkey123

Private Keys

Private keys has the capability of decode encrypted text (since the text was encrypted by the corresponding public key), so if they are leaked, an attacker can decrypt the ciphertext, thus gaining access to sensitive information.

Example of Private Keys:

encryption_key = KEY001

Certificates

Certificates are normally public, but .key files must be confidential. These files contain the private key associated with the certificate.

---

Best Practices for Managing Secrets in Code

API Keys and Private Key

Never hardcode an API key or a private key. Anyone who accesses the source code can retrieve and misuse the key.

Insecure code:

//API Key
api_key = "sk-1a2b3c4d5e6f7g8h9i0j"

//Private Key
encryption_key = b'my-very-secret-key'

Use a .env file to store secrets. This way, even if someone accesses your code, they won’t see the actual key. Also, .env files are typically excluded from version control (e.g., GitHub) by adding them to .gitignore.

Secure code:

//API Key
import os

api_key = os.getenv("API_KEY")

//Private Key
import os

encryption_key = os.getenv("ENCRYPTION_KEY").encode()

Database and Cloud Credentials

The same principle applies to databases and cloud credentials. Never hardcode database or cloud credentials into your code.

Insecure code:

//Database credentials
const dbUser = "admin";
const dbPassword = "SuperSecret123";

//Cloud credentials
aws_access_key = "AKIAIOSFODNN7EXAMPLE"
aws_secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

Use a .env file to store the credentials.

Secure code:

//Database credentials
const dbUser = process.env.DB_USER;
const dbPassword = process.env.DB_PASSWORD;

//Cloud credentials
const aws_access_key = process.env.AWS_ACCESS_KEY;
const aws_secret_key = process.env.AWS_SECRET_KEY;

Access Token

Storing tokens in the front end or in localStorare is risky. An attacker can inject malicious scripts and access the token – this is known as Cross-Site Scripting (XSS).

Insecure code:

localStorage.setItem("token", "eyJhbGciOiJIUzI1NiIs...");

Tokens should be stored in secure, HttpOnly cookies.

• Secure: ensures cookies are only sent over HTTPS.

• HttpOnly: prevents access via JavaScript, protecting against XSS.

Secure code:

document.cookie = "token=eyJhbGciOiJIUzI1NiIs...; Secure; HttpOnly";

Certificates

Do not upload the .key file of the certificate directly to the repository, as this exposes the private key.

Insecure code:

git add server.crt server.key

Instead add the file on the .gitingnore - this tells Git which files or folders to ignore (i.e., not track) when performing git add, commit, or push - and restrict permissions

Secure code:

chmod 600 /etc/ssl/private/server.key

---

Other Best practices

Secrets Managers

A secret manager is one of the most useful tools to securely store, protect, access, and manage sensitive information. It includes features like:

• Secure storage: Secrets are encrypted at rest, typically with strong encryption (such as AES-256). Only authorized systems or users can access them.

• Access control (IAM): Allows you to configure who can access which secret, typically using fine-grained permissions (e.g., “Only the production backend can access these tokens”).

• Automatic secret rotation: Some secret managers (such as AWS Secrets Manager or HashiCorp Vault) allow you to automatically rotate passwords or keys after a specific time interval or event, reducing the risk of compromise.

• Auditing and logs: You can track who accessed what and when, helping maintain security and investigate incidents.

Automatic Secret Rotation

Automatic secret rotation is crucial for security. If a password, token, or key is accidentally leaked, automatic rotation ensures that secret has a short lifespan, drastically reducing the attack window. It also automates a task that, if done manually, is risky and error-prone.

Access Should be Based on the Principle of Least Privilege

A person should only have access to the resources necessary to perform their tasks. The more access a person has, the greater the potential impact if their credentials are compromised.

Use Different Secrets in Different Environments

This practice reduces the impact of a secret leak, as the secret will only grant access to a specific environment — not the entire system.

Access Monitoring and Auditing

Even if you have strong secrets management policies in place, always monitor access and perform regular audits to ensure everything is functioning as expected.

---

Conclusion

Modern systems rely on dozens of secrets — API keys, tokens, credentials — all of which are potential entry points if mismanaged.
Security isn’t only about encryption, but about process: isolating secrets, rotating them, auditing access, and minimizing exposure.
Building secure software means building secure practices — and it starts with how you manage secrets.