Hiding Your API Keys in Ruby

“Unprotected data” == “BAD” 😬

Stephen Anderson
4 min readSep 24, 2020

Thank you for visiting this post! Be sure to also take a look at my other work on LinkedIn and GitHub.

Photo by Clément H on Unsplash

When it comes to APIs, we’re generally so excited to get our apps up and running with the plethora of data- that we don't initially stop to think of the security aspects of using one. Yet, we can find stories everywhere online where an API key was stolen, and all of a sudden the key owner is sent a huge bill for API calls that they never made. Is there a way to stop this? There is! And this article will tell you how.

So how do API keys even get stolen you may ask? Well, there are several ways. The most common is someone hard-coding their API key into their project and then uploading their project’s files to a site where it is open to the public, such as GitHub. It just takes one person to open up your project’s repo and peak around, and voila! your private API key has been discovered by someone that is not you.

How do we stop this from ever happening? Glad you asked! When working with Ruby, we discovered that the best way of stopping this is to use the dotenv gem. This gem allows us to store variables in a hidden file (.env) at the root of our directory and call on those variables in other parts of our project. So, instead of hard coding an API key like this:

Example of a hard-coded API Key

We would actually put a variable in its place, so the same code with dotenv would now look like this:

Example of the same code using dotenv instead.

Yes, it is like magic. So how do we set this up? Let's go through the steps. First, we need to download the dotenv gem. We can start out by adding the gem to our project’s gemfile as such:

Add dotenv to gemfile.

Then run bundle install from your terminal to download the gem to your machine. Next, we need to create our hidden file (.env) in our project’s root directory. This is where we’ll actually store our hidden variables. After the file is created, we can add the word “export” along with our API key to the .env file and give it a variable name to reference in our other project files:

Add API key to dotenv file

Now that .env has been created and our API key has been added as a variable, we can reference that variable name anywhere in our project. However, we have a few more things to set up before we’re in business. The next thing we’ll need to do is add our .env file to our .gitignore file. This will keep git from pushing our .env file to our remote repository (such as GitHub), that way our .env file containing our API key stays local to us and is not posted online for the world to see. Add the following line of code to .gitignore:

Add .env file to .gitignore file

Ok… I know that’s a lot of steps! But we’re on the home stretch, and we’re down to the last one 🙌

The final step is to tell your project’s environment file to require dotenv and also to load it as well. Now, in my project, I require everything in the gemfile by having it run Bundler.require on startup, but you can require dotenv individually as well. You will also need to tell it to load the .env file when starting your program, so what you add to your environment file should look something like this:

Load .env in environment file

And that is it! You have officially hidden (and more importantly protected) your private API key! You can now reference your API key as a variable in your project wherever you like by putting ENV[“variable-name-from-.env-file”]. Check out us using it for our Yelp API calls here:

API call logic using ENV variable

I hope this article helped you in learning how to protect your private API keys in Ruby! If you would like to learn more about dotenv, feel free to check it out at https://rubygems.org/gems/dotenv.



Stephen Anderson

Hi, I’m Stephen! I’m a Software Engineer just trying to help people through applications that make the world better. Check me out at stephenanderson.dev.