Lybic Docs
Security

Best Practices

Security best practices for API keys

Follow these best practices to keep your API keys secure and your Lybic resources protected.

Storage and Handling

Never Commit API Keys

Do not commit API keys to version control systems. Use environment variables or secret management tools instead.

// Never hardcode API keys
const lybic = new LybicClient({
  apiKey: 'lysk-abc123...', // Insecure
})
// Use environment variables instead
const lybic = new LybicClient({
  apiKey: process.env.LYBIC_API_KEY, // Secure
})

Use Environment Variables

Store API keys in environment variables or secure configuration files:

.env
LYBIC_API_KEY=lysk-your-api-key-here
LYBIC_ORG_ID=your-org-id
LYBIC_BASE_URL=https://your-base-url.example
import os
from lybic import LybicClient

# Automatically reads from environment
client = LybicClient()
export LYBIC_API_KEY="lysk-your-api-key-here"
export LYBIC_ORG_ID="your-org-id"

Protect Configuration Files

Ensure that configuration files containing API keys have restricted permissions:

chmod 600 .env

Add sensitive files to .gitignore:

.gitignore
.env
.env.local
config/secrets.json

Key Rotation

Regular Rotation

Rotate API keys periodically to minimize the impact of potential compromise:

  1. Create a new API key in the Dashboard
  2. Update your applications with the new key
  3. Test that the new key works correctly
  4. Delete the old key

Immediate Rotation

Rotate keys immediately if:

  • A key is accidentally exposed in logs or version control
  • A team member with access to keys leaves the organization
  • You suspect unauthorized access

Access Control

Limit Key Distribution

Create separate API keys for different applications or environments:

  • One key per application
  • One key per team member for development
  • Separate keys for production and development

This allows you to revoke specific keys without affecting other services.

Descriptive Names

Use descriptive names when creating API keys to identify their purpose:

Production-Web-App
Development-John
CI-CD-Pipeline
Mobile-App-iOS

Application Security

Secure Client-Side Usage

Never expose API keys in client-side code:

  • Do not include API keys in frontend JavaScript
  • Use backend proxies to make Lybic API calls
  • Implement proper authentication for your users

Use HTTPS Only

Always use HTTPS when transmitting API keys:

const lybic = new LybicClient({
  baseUrl: 'https://your-base-url.example', // Always HTTPS
})

Monitor Usage

Regularly review your API key usage:

  • Check the API Keys page in the Dashboard
  • Monitor for unexpected keys
  • Delete unused keys

Incident Response

If a Key is Compromised

Take immediate action if you suspect a key has been compromised:

  1. Delete the compromised key in the Dashboard immediately
  2. Create a new key and update your applications
  3. Review recent activity for any unauthorized access
  4. Rotate other keys if necessary

Contact Support

If you believe your organization's security has been compromised, contact Lybic support immediately.

Additional Resources

API Keys

Creating and managing API keys

Permissions

Understanding API key permissions

Permissions

Understanding API key permissions and access control

Open Sources GUI Agent

Next Page

On this page

Storage and HandlingNever Commit API KeysUse Environment VariablesProtect Configuration FilesKey RotationRegular RotationImmediate RotationAccess ControlLimit Key DistributionDescriptive NamesApplication SecuritySecure Client-Side UsageUse HTTPS OnlyMonitor UsageIncident ResponseIf a Key is CompromisedContact SupportAdditional Resources