Api

You can architect your deployment and version control process so API keys and passwords won’t reach developers and version control server. I think it should be always done like that – but I often see project where it was done otherwise.

How we do that:

• we store passwords and API keys in separate location on server from which only system admin can access it directly (web process that uses key also can obviously – but not a developer)
• we don’t allow direct access for most developers (neither through ftp nor ssh) to code on server and to those files, some lead dev-ops have such access
• we deploy by external deployment platform (I personally have used Beanstalkapp and DeployHQ so those I can recommend) that allows to deploy changes from git repository
• we allow only lead developers to deploy from there to production
• we have code reviews (so if one adds code to show password or key to himself then we will most probably see it)
• we do not store passwords and keys in git, those are configured on server (paths) and imported, main config files are git-ignored
• developers use other databases (local copies of structure and test data, staging server) and usually use other API keys (except some less crucial like google maps api etc.) when possible, often in docker, when not possible then there is a testing and staging server(s) to use and also separated like one of the production

I mean of course API keys and passwords used from server side jobs and code (like some external paid services or AWS cloud keys or open auth secret keys etc.). JavaScript keys can’t be really hidden. Those can be obfuscated but usually no need to do that.

copied answer from here