- In short
- Secrets and API key management is the practice of keeping credentials out of source code, scoping a separate key to each environment, rotating keys on a schedule, and revoking and rotating any key that leaks rather than leaving it active.
The secret does not belong in the code
Every Claude application authenticates to the API with a key, and every integration accumulates other credentials: database passwords, third-party tokens, signing secrets. The single most important rule for all of them, and the one the Claude Certified Developer - Foundations (CCDV-F) exam returns to under Task Statement 7.4, is that the secret does not live in the source code. A key hard-coded into a file, or pasted into a prompt template, has become part of an artifact that is copied, cloned, logged, and shared far more widely than the key itself ever should be.
Instead the application reads its secrets at runtime from somewhere outside the source tree. In simple deployments that is an environment variable, set on the machine or the container and never written into the repository. In larger systems it is a dedicated secret manager, a service whose entire job is to hold credentials, hand them to authorised processes at runtime, and record who asked. Either way the principle is identical: the code references the secret by name, and the actual value is supplied from the environment. This is a direct expression of the secure-by-design thinking in secure-by-design and least privilege, where a credential is exposed to as few places, and as few people, as possible.
- Secret management
- Keeping credentials such as API keys out of source code and supplying them at runtime from environment variables or a secret manager, so the value is never committed, logged, or embedded in an artifact.
Why committing a key is worse than it looks
The intuition many developers start with is that a key in a private repository is fine, or that deleting the line later undoes the mistake. Both are wrong, and the exam tests candidates on exactly this misplaced confidence. Source control is designed to remember everything: even after you remove a key in a new commit, the old value is still sitting in the history, readable by anyone who clones the repository or browses back through it. Repositories also travel further than people expect, into forks, into CI systems, onto laptops, into backups. A key committed once should be considered exposed forever, which is why the only correct response to a committed key is to rotate it, not to quietly delete the line.
One key per environment, never shared
The second discipline is scope. Development, staging, and production each get their own key, and a key is not reused across services either. This containment is what limits the blast radius when something goes wrong. If a development key leaks, it should be able to do development things only, and revoking it should have no effect on production traffic. If one production key were shared across every environment and every service, a single leak would compromise all of them at once, and rotating it would mean coordinating a change everywhere simultaneously, which teams avoid precisely when they most need to act.
Separate keys also make monitoring meaningful. When each environment has its own credential, unusual usage on one of them points at a specific place to investigate, which is what authorized access monitoring depends on. A single shared key turns every anomaly into an undifferentiated blur. Scoped keys are therefore not just tidier, they are what make the later stages of access control - validating who is calling and watching how keys are used - actually work.
Rotation and revocation
The third discipline is that keys are not permanent. Rotation means replacing a key with a fresh one on a regular schedule, so that even a credential that leaked without anyone noticing has only a limited window in which it is useful. Because keys are read from the environment rather than baked into code, rotation is an operational change - update the secret store, restart or refresh the consumers - not a code change and redeploy. Designing for rotation from the start, with one key per environment pulled from a secret source, is what keeps it a routine operation rather than an emergency.
Revocation is rotation's urgent cousin. The moment a key is known or suspected to be exposed, in a commit, a log, a screenshot, a shared file, it is revoked so it stops working, and a new key is issued to the legitimate consumers. The mistake the exam highlights is leaving a leaked key active in the hope that the exposure went unnoticed. A leaked credential is compromised by definition, and the only safe assumption is that someone hostile has it.
Worked example
A team ships a Claude-powered internal tool. During review, someone notices the production API key is set as a default value directly in a config file that is committed to the repository, and the same key is used from a developer's laptop for testing.
Two rules are broken at once. First, the key is in source control, so it is now in the git history and on every machine that has cloned the repo. Second, the production key is being reused for local development, so a leak from a laptop is a production leak.
The fix has an urgent part and a structural part. The urgent part is to treat the committed key as compromised: revoke it in the console so it stops working, and issue a new one. Deleting the line from the config is not enough, because the old value survives in history. The structural part is to stop the problem recurring: move the key out of the committed file so the application reads it from an environment variable or secret manager at runtime, and issue a separate, scoped key for development so the laptop never holds a production credential.
After the change the repository contains no secret at all, only a reference to one; production and development each have their own key that can be rotated independently; and if a key leaks again the response is a one-step revoke-and-rotate rather than a scramble. That is the whole of this knowledge point in practice, and it is the foundation the rest of Task Statement 7.4 builds on, starting with identity validation and access approval.
The traps the exam sets
Misconception
Committing an API key to a private repository is safe, and deleting it later removes the exposure.
What's actually true
Misconception
Using one strong production key everywhere is simpler and just as secure.
What's actually true
How it shows up on the exam
This is an understand-level knowledge point, so questions usually describe a handling practice and ask whether it is sound or how to correct it. The credited answers track three ideas: secrets stay out of code and are read from the environment or a secret manager, keys are scoped per environment rather than shared, and a leaked key is revoked and rotated rather than left active. Distractors offer the comfortable wrong answers - a key in a private repo is fine, deleting the line undoes a commit, one strong key everywhere is simpler. If you hold the three disciplines of storage, scope, and rotation in mind, those distractors are easy to strike out.
A developer discovers that a Claude API key was accidentally printed into an application log that is retained for 90 days. What is the correct response?
People also ask
Where should you store an API key instead of in code?
Should the same API key be used in development and production?
What do you do when an API key is leaked?
Watch and learn
Official Anthropic Academy lessons first, then hand-picked walkthroughs. Videos load only when you press play.
No videos curated for this concept yet
We are still curating the best official and community videos for this topic.
References & primary sources
Master this concept with Archie
Practice it inside an adaptive study session. Archie, your Socratic AI tutor, tracks your mastery with Bayesian Knowledge Tracing and schedules the perfect next review.