Keeping secrets safe

A secret is any credential that grants access to a system — API keys, database tokens, passwords. Anyone who has it can act as you. Secrets are the keys to your infrastructure.

Rules for secrets

1. Never paste them into code. If you commit a secret to Git, it's in the history forever — even if you delete it later. Use environment variables instead.
2. Never share them in chat or email. Treat them like passwords.
3. Store them in a password manager. You'll need these values again — when setting up a new machine, debugging a deployment, or rotating tokens.

Use a password manager

If you don't have one yet, 1Password is the best option. It stores passwords, API keys, tokens, and notes — all encrypted and synced across your devices. You can copy a secret with one click instead of hunting through old tabs or messages.

The free alternatives (like Apple Keychain or Google Password Manager) work for website logins but aren't designed for developer secrets — they don't handle arbitrary key-value pairs well, and they lack features like shared vaults and CLI access.

If you already use a different password manager, that's fine. The important thing is that secrets live in one secure place, not scattered across sticky notes, text files, and DMs.