Securing Sensitive Data in Python: Best Practices for Storing API Keys and Credentials

Two ways of storing sensitive data that you can easily access from your code and share across your entire project.

Published in

System Weakness

5 min readMar 20, 2023

Image generated on Midjourney. Prompt: An old brick wall with a small opening reveals a glimpse of keys hidden within, waiting to be discovered

When you’re working on Python projects, you gotta keep those API keys and other sensitive info under wraps.
You don’t want to accidentally upload it to GitHub and compromise your whole project’s security.

But no worries, we’ve got you covered! In this article, I’m going show you two different ways you can store sensitive info securely in your Python projects. That way, you can easily access it from your code and share it across your whole project, without worrying about compromising your project’s security.

To show you how it works, we’re gonna be using the CoinMarketCap API to retrieve real-time cryptocurrency data like coin prices.

So let’s get started and keep that sensitive info safe!

The easy way: Store Variables in a Separate Python File

The first way for keeping sensitive info like API keys safe is to make a new file and store your variables in there.
This way, you can access them wherever you need them in your code.

First things first — create a new Python file and give it a cool name like “credentials.py”.
Then, copy and paste all your sensitive info into this file, such as your API key. And voila! Now you can delete that line of code with the API key from your project.

credentials.py file

api_key = "<<your API key>>"

To access the variable from your credentials.py file, you need to import it into your project.
At the top of your code in your project file, add the line:

import credentials

You can then call the API key wherever you need it in your code using:

credentials.api_key

Don’t forget to exclude the credentials.py file from your project’s version control by adding it to the .gitignore file, ensuring that it is never committed.

The easy way: CoinMarketCap .py code example

If you’re looking to retrieve cryptocurrency market data easily, the CoinMarketCapAPI is a Python wrapper for the CoinMarketCap API that does just that.
To get started, you’ll need to install the python-coinmarketcap package with pip.
To do this, simply open up your terminal or command prompt and type in the following command:

pip3 install python-coinmarketcap

Once you have installed the package, you can get a free CoinMarketCap API key by registering on their website. After you have registered, go to your account dashboard and click on the “API” tab. Then, follow the instructions to create an API key for your account.

Create a new Python file and name it credentials.py

.credentials.py file

coinmarketcap_api_key = "aaaa-bbbb-cccc-dddd-eeee"

Create a new Python file and name it coinmarketcap.py
Add your import on top of the file.

coinmarketcap.py file

import credentials
from coinmarketcapapi import CoinMarketCapAPI

def getcoinvalue(coin):

    client_CoinMarketCapA = CoinMarketCapAPI(credentials.coinmarketcap_api_key)
    coin_dollar_value = 0
    
    try:
        coin_dollar_value =  float(str(client_CoinMarketCapA.cryptocurrency_quotes_latest(symbol=coin.upper()).data[coin.upper()]['quote']['USD']['price']))
    except:
        print("Invalid client_CoinMarketCapA key or invalid coin")

    return coin_dollar_value

def main() -> None:
   
   print(f"Cake value: {getcoinvalue('CAKE'):.2f} USDT")

if __name__ == '__main__':
    main()

python3 coinmarketcap.py
output:
Cake value: 3.94 USDT

Add the credentials.py file to your .gitignore file

Avoid committing this file to GitHub!

Create a new file and name it .gitignore

.gitignore file

# api keys
credentials.py       <-- add this line

— — — — — — — — — — —
Spock: “Captain, there is an easy way and a hard way to do this.”
Kirk: “We’re Starfleet. We don’t do things the easy way.”
Spock nods: “Ah, the hard way. The illogical, but strangely satisfying way.”
Kirk: “Exactly. Plus, it makes for a better story.”
— — — — — — — — — — —

The hard way: Use Python-dotenv to Store Environment Variables

If you’re working on a larger project that needs more environment variables, or if you’re using a framework like Flask, the second way is better. Here, we’ll use python-dotenv to access the .env file, where we can store our sensitive data.

You can install python-dotenv by running this command:

pip3 install python-dotenv

Create a new file and name it .env.
This file will contain your sensitive information.
For example, your API key can be added to the .env file as follows:

.env file

api_key=<<your_api_key_here>>

In your Python code, import OS and dotenv:

import os
from dotenv import load_dotenv

You can then create a function to configure your environment variables, for example:

def load_api_keys():
    load_dotenv()

Add this function to your main function so that it runs before anything else.

load_api_keys()

To call the environment variable with your API key use:

os.getenv("API_KEY")

Make sure to add the .env to your .gitignore file so that it is never committed to your project.

The hard way: CoinMarketCap .env code example

pip3 install python-coinmarketcap

To install python-dotenv, run the command:

pip3 install python-dotenv

Create a new file and name it .env

.env file

coinmarketcap_api_key=aaaa-bbbb-cccc-dddd-eeee

!!! NOT : “aaaa-bbbb-cccc-dddd-eeee” !!!

Create a new Python file and name it coinmarketcap.py

coinmarketcap.py file

from coinmarketcapapi import CoinMarketCapAPI

from dotenv import load_dotenv
import os

def load_api_keys():
    load_dotenv()

def getcoinvalue(coin):

    client_CoinMarketCapA = CoinMarketCapAPI(os.getenv('coinmarketcap_api_key'))
    coin_dollar_value = 0
    
    try:
        coin_dollar_value =  float(str(client_CoinMarketCapA.cryptocurrency_quotes_latest(symbol=coin.upper()).data[coin.upper()]['quote']['USD']['price']))
    except:
        print("Invalid client_CoinMarketCapA key or invalid coin")

    return coin_dollar_value

def main() -> None:
   
   load_api_keys()
   print(f"Cake value: {getcoinvalue('CAKE'):.2f} USDT")

if __name__ == '__main__':
    main()

python3 coinmarketcap.py
output:
Cake value: 3.94 USDT

Add the .env file to your .gitignore file

Avoid committing this file to GitHub!

Create a new file and name it .gitignore

.gitignore file

# api keys
.env       <-- add this line

Creating .files

For mac users:
You can create files that begin with a “.” if you can view hidden files.
Enter the following Terminal commands to show hidden files:

defaults write com.apple.finder AppleShowAllFiles -bool YES
killall Finder

When you’re done enter these commands to hide them again:

defaults write com.apple.finder AppleShowAllFiles -bool NO
killall Finder

Conclusion

It’s crucial to be careful when dealing with sensitive information in your code and avoid sharing it on GitHub accidentally.
With the techniques mentioned above, you can secure your sensitive data and make it available to only authorized people.
Always remember not to write your API keys or credentials directly into your code as it can make them vulnerable to hackers.
Also, don’t forget to add sensitive files to your .gitignore file to keep your projects safe.
For secure storage of confidential data like passwords or tokens, encryption is an excellent option before storing them in configuration files or environment variables.

References

Python Software Foundation. (n.d.). dotenv Documentation.
https://pypi.org/project/python-dotenv/
How to use a .gitignore file by Adam Garrett-Harris.
https://www.pluralsight.com/guides/how-to-use-gitignore-file
CoinMarketCap API. (n.d.). Documentation.
https://coinmarketcap.com/api/documentation/v1/
Python Package Index. (n.d.). python-coinmarketcap.
https://pypi.org/project/python-coinmarketcap/
W3Schools. (n.d.). Python Try Except.
https://www.w3schools.com/python/python_try_except.asp

Download the code from Github here:

The easy way:
https://github.com/stevebelgium/coinmarketcap_example1
- credentials.py file not included -

The hard way:
https://github.com/stevebelgium/coinmarketcap_example2
- .env file not included -

If you enjoyed this, please follow me on Medium