📊 DashboardSecrets & API Keys

Secrets & API Keys

Secrets are your third-party API keys stored securely on ProtectMyAPI servers. They’re encrypted at rest and injected into requests server-side — your mobile app never sees them.

🔐

Security: Secrets are encrypted with AES-256. Even ProtectMyAPI engineers cannot read your raw keys.

How Secrets Work

1. You add "OPENAI_API_KEY" = "sk-abc123..." in dashboard
2. Secret is encrypted and stored
3. Your app calls ProtectMyAPI
4. We decrypt and inject the key into the request
5. Forward to OpenAI with your key
6. Your app never sees "sk-abc123..."

Adding a Secret

Navigate to Secrets

  1. Click “Secrets” in the sidebar (or “API Keys”)
  2. Click “Add Secret”

Enter Secret Details

FieldExampleDescription
NameOPENAI_API_KEYIdentifier (used in services)
Valuesk-abc123...Your actual API key

Save

Click “Save” — the secret is now encrypted and stored.

Naming Conventions

Use clear, consistent naming:

ProviderRecommended Name
OpenAIOPENAI_API_KEY
AnthropicANTHROPIC_API_KEY
GoogleGOOGLE_API_KEY
StripeSTRIPE_SECRET_KEY
Stability AISTABILITY_API_KEY
ElevenLabsELEVENLABS_API_KEY
💡

Tip: Use _PROD and _DEV suffixes for environment separation: OPENAI_API_KEY_PROD, OPENAI_API_KEY_DEV

Using Secrets

In API Services

When creating an API Service:

  1. Select Auth Type (e.g., Bearer Token)
  2. Choose your Secret from the dropdown
  3. The secret value is automatically injected into requests

Template Syntax

In custom configurations, reference secrets with double braces:

Authorization: Bearer {{OPENAI_API_KEY}}
X-Api-Key: {{MY_CUSTOM_KEY}}

Managing Secrets

Viewing Secrets

For security, secret values are masked after creation:

  • You’ll see: sk-****...****
  • Full value is never displayed again

Updating a Secret

  1. Go to Secrets
  2. Click the edit icon on the secret
  3. Enter the new value
  4. Click Save
⚠️

Note: You cannot view the current value. You must enter the complete new value when updating.

Deleting a Secret

  1. Go to Secrets
  2. Click the delete icon
  3. Confirm deletion
🚨

Warning: Deleting a secret will break any API Services using it. Update your services first.

Secret Security

Encryption

LayerProtection
At RestAES-256 encryption
In TransitTLS 1.3
AccessOnly injected during proxied requests
AuditAll access is logged

Who Can Access

RoleCan ViewCan CreateCan Delete
OwnerMasked only
AdminMasked only
MemberMasked only

Best Practices

1. Use Separate Keys per Environment

OPENAI_API_KEY_DEV → Development testing
OPENAI_API_KEY_PROD → Production app

2. Rotate Keys Regularly

  1. Generate new key from provider (OpenAI, etc.)
  2. Update secret in ProtectMyAPI
  3. Old key stops working immediately
  4. Revoke old key at provider

3. Minimal Permissions

When possible, create API keys with limited scopes:

  • OpenAI: Project-specific keys
  • Stripe: Restricted keys with only needed permissions

4. Monitor Usage

Check Analytics for unusual patterns that might indicate key compromise.

Troubleshooting

”Secret not found”

  • Check secret name spelling (case-sensitive)
  • Verify secret exists in the current organization
  • Ensure secret is linked to the API Service

”Invalid API key” from provider

  • The secret value may be incorrect
  • Try updating the secret with a fresh key
  • Verify the key works directly with the provider

”Unauthorized” errors

  • Check the Auth Type matches the provider’s requirements
  • Verify the header name is correct
  • Some providers need additional headers (org ID, etc.)

Common Provider Keys

OpenAI

Name: OPENAI_API_KEY
Value: sk-proj-...
Get from: https://platform.openai.com/api-keys

Anthropic

Name: ANTHROPIC_API_KEY
Value: sk-ant-...
Get from: https://console.anthropic.com/

Google AI (Gemini)

Name: GOOGLE_API_KEY
Value: AIza...
Get from: https://aistudio.google.com/app/apikey

Stability AI

Name: STABILITY_API_KEY
Value: sk-...
Get from: https://platform.stability.ai/

ElevenLabs

Name: ELEVENLABS_API_KEY
Value: ...
Get from: https://elevenlabs.io/app/settings/api-keys

Organization-Wide Secrets

Secrets are scoped to your organization:

  • All apps in the organization can use the same secrets
  • Team members with access can link secrets to services
  • Switching organizations shows different secrets

Next Steps

Link secrets to your API endpoints

🔌 API Services

Manage your mobile applications

📱 Apps

Learn about our security architecture

🛡️ Security
API ServicesTeam Management