How should I keep my API key secure?

Treat an API key like a password — anyone holding it can use your account's credits. Best practices:

• Store it server-side; never embed it in websites, apps, or client-side code.
• Add an IP restriction to the key so it only works from your servers.
• Create separate keys per integration so you can revoke one without breaking the others.

Keys are shown exactly once at creation and stored hashed — we can't read them back. If a key leaks, revoke it instantly in Settings → API Keys and create a new one.