Security and Safety·Task 7.4·Bloom: understand·Difficulty 2/5·8 min read·Updated 2026-07-11

Secrets and API Key Management for the Developer Exam

Identity, Secrets, and Key Management (1.6%): Managing secrets, credentials, and API keys across Claude development and production environments, including identity validation and authentication, access approval and level verification, and authorized access monitoring.

SUBy Solomon UdohReviewed by Solomon UdohAI-assisted · human-reviewed
In short
Secrets and API key management is the practice of keeping credentials out of source code, scoping a separate key to each environment, rotating keys on a schedule, and revoking and rotating any key that leaks rather than leaving it active.

The secret does not belong in the code

Every Claude application authenticates to the API with a key, and every integration accumulates other credentials: database passwords, third-party tokens, signing secrets. The single most important rule for all of them, and the one the Claude Certified Developer - Foundations (CCDV-F) exam returns to under Task Statement 7.4, is that the secret does not live in the source code. A key hard-coded into a file, or pasted into a prompt template, has become part of an artifact that is copied, cloned, logged, and shared far more widely than the key itself ever should be.

Instead the application reads its secrets at runtime from somewhere outside the source tree. In simple deployments that is an environment variable, set on the machine or the container and never written into the repository. In larger systems it is a dedicated secret manager, a service whose entire job is to hold credentials, hand them to authorised processes at runtime, and record who asked. Either way the principle is identical: the code references the secret by name, and the actual value is supplied from the environment. This is a direct expression of the secure-by-design thinking in secure-by-design and least privilege, where a credential is exposed to as few places, and as few people, as possible.

Secret management
Keeping credentials such as API keys out of source code and supplying them at runtime from environment variables or a secret manager, so the value is never committed, logged, or embedded in an artifact.

Why committing a key is worse than it looks

The intuition many developers start with is that a key in a private repository is fine, or that deleting the line later undoes the mistake. Both are wrong, and the exam tests candidates on exactly this misplaced confidence. Source control is designed to remember everything: even after you remove a key in a new commit, the old value is still sitting in the history, readable by anyone who clones the repository or browses back through it. Repositories also travel further than people expect, into forks, into CI systems, onto laptops, into backups. A key committed once should be considered exposed forever, which is why the only correct response to a committed key is to rotate it, not to quietly delete the line.

Outside code
env var or secret manager
Per environment
a separate key for each
Rotate
on a schedule and on leak

One key per environment, never shared

The second discipline is scope. Development, staging, and production each get their own key, and a key is not reused across services either. This containment is what limits the blast radius when something goes wrong. If a development key leaks, it should be able to do development things only, and revoking it should have no effect on production traffic. If one production key were shared across every environment and every service, a single leak would compromise all of them at once, and rotating it would mean coordinating a change everywhere simultaneously, which teams avoid precisely when they most need to act.

Separate keys also make monitoring meaningful. When each environment has its own credential, unusual usage on one of them points at a specific place to investigate, which is what authorized access monitoring depends on. A single shared key turns every anomaly into an undifferentiated blur. Scoped keys are therefore not just tidier, they are what make the later stages of access control - validating who is calling and watching how keys are used - actually work.

Rotation and revocation

The third discipline is that keys are not permanent. Rotation means replacing a key with a fresh one on a regular schedule, so that even a credential that leaked without anyone noticing has only a limited window in which it is useful. Because keys are read from the environment rather than baked into code, rotation is an operational change - update the secret store, restart or refresh the consumers - not a code change and redeploy. Designing for rotation from the start, with one key per environment pulled from a secret source, is what keeps it a routine operation rather than an emergency.

Revocation is rotation's urgent cousin. The moment a key is known or suspected to be exposed, in a commit, a log, a screenshot, a shared file, it is revoked so it stops working, and a new key is issued to the legitimate consumers. The mistake the exam highlights is leaving a leaked key active in the hope that the exposure went unnoticed. A leaked credential is compromised by definition, and the only safe assumption is that someone hostile has it.

Where a secret lives and how it moves
Loading diagram...
The value flows from the secret store to the process at runtime; the code only names it. A leak triggers revoke and rotate at the store.

Worked example

A team ships a Claude-powered internal tool. During review, someone notices the production API key is set as a default value directly in a config file that is committed to the repository, and the same key is used from a developer's laptop for testing.

Two rules are broken at once. First, the key is in source control, so it is now in the git history and on every machine that has cloned the repo. Second, the production key is being reused for local development, so a leak from a laptop is a production leak.

The fix has an urgent part and a structural part. The urgent part is to treat the committed key as compromised: revoke it in the console so it stops working, and issue a new one. Deleting the line from the config is not enough, because the old value survives in history. The structural part is to stop the problem recurring: move the key out of the committed file so the application reads it from an environment variable or secret manager at runtime, and issue a separate, scoped key for development so the laptop never holds a production credential.

After the change the repository contains no secret at all, only a reference to one; production and development each have their own key that can be rotated independently; and if a key leaks again the response is a one-step revoke-and-rotate rather than a scramble. That is the whole of this knowledge point in practice, and it is the foundation the rest of Task Statement 7.4 builds on, starting with identity validation and access approval.

The traps the exam sets

Misconception

Committing an API key to a private repository is safe, and deleting it later removes the exposure.

What's actually true

Source control keeps full history, so a committed key remains readable even after the line is removed, and repositories are cloned and copied widely. The exam tests candidates on this: a committed key must be treated as leaked and rotated, never merely deleted.

Misconception

Using one strong production key everywhere is simpler and just as secure.

What's actually true

Reusing a single key across every environment and service means one leak compromises all of them and rotation must be coordinated everywhere at once. The exam trips candidates on this: keys are scoped per environment so a compromise is contained and each can be rotated independently.

How it shows up on the exam

This is an understand-level knowledge point, so questions usually describe a handling practice and ask whether it is sound or how to correct it. The credited answers track three ideas: secrets stay out of code and are read from the environment or a secret manager, keys are scoped per environment rather than shared, and a leaked key is revoked and rotated rather than left active. Distractors offer the comfortable wrong answers - a key in a private repo is fine, deleting the line undoes a commit, one strong key everywhere is simpler. If you hold the three disciplines of storage, scope, and rotation in mind, those distractors are easy to strike out.

Check your understanding

A developer discovers that a Claude API key was accidentally printed into an application log that is retained for 90 days. What is the correct response?

People also ask

Where should you store an API key instead of in code?
In an environment variable or a dedicated secret manager outside the source tree. The application reads the key at runtime, so it is never committed to the repository.
Should the same API key be used in development and production?
No. Each environment gets its own scoped key, so a compromised development key cannot reach production and each key can be rotated independently.
What do you do when an API key is leaked?
Revoke and rotate it. A leaked key is treated as compromised and replaced, rather than left active on the assumption the exposure went unnoticed.

Watch and learn

Official Anthropic Academy lessons first, then hand-picked walkthroughs. Videos load only when you press play.

No videos curated for this concept yet

We are still curating the best official and community videos for this topic.

References & primary sources

Adaptive study

Master this concept with Archie

Practice it inside an adaptive study session. Archie, your Socratic AI tutor, tracks your mastery with Bayesian Knowledge Tracing and schedules the perfect next review.

Start studying