Organize API keys without slowing down your workflow
Security advice fails when it adds twenty seconds of friction every five minutes. The winning systems are boring, predictable, and fast.
This article is a field guide to organizing API keys and developer credentials so you stay productive — with patterns that align well to a native macOS vault like PassStore.
1. One naming scheme to rule them all
Pick a convention and document it in CONTRIBUTING.md:
<provider>_<purpose>_<environment>
Examples:
stripe_signing_secret_dev
github_pat_ci_readonly
aws_access_key_id_staging_human
Why: when everything is named API_KEY, grep becomes useless and people re-copy the wrong value.
2. Separate “human” vs “machine” credentials
| Type | Typical storage | Rotation |
|---|---|---|
| Human dev keys | Personal vault / PassStore workspace | Monthly or on team change |
| CI read tokens | GitHub/GitLab secret store | Quarterly + on incident |
| Production automation | Cloud secret manager | Automated where possible |
Mixing them guarantees someday someone runs npm test with a production database URL.
3. Clipboard hygiene (underrated)
- Clear clipboard managers’ history for password fields if your tool allows.
- Never paste secrets into search bars, Slack, or Zoom chat “temporarily.”
- Prefer direct paste into the terminal from a vault without intermediate buffers when your tool supports it.
macOS Universal Clipboard can sync clipboards to other devices — be mindful if you copy secrets.
4. Project layout in a vault (example)
For repository acme/payments-api:
Workspace: payments-api
Group: dev
STRIPE_SECRET_KEY
DATABASE_URL
JWT_SIGNING_KEY
Group: staging (optional)
...
Mirror how you think about deploy targets, not how files happen to exist on disk.
More on multi-env thinking: multiple .env files guide.
5. Terminal ergonomics
Option A: short-lived export in a dedicated shell tab
export STRIPE_SECRET_KEY="sk_test_..."
export DATABASE_URL="postgresql://..."
npm run dev
Close the tab when done — env vars die with the process tree (child processes may inherit; know your shell).
Option B: direnv (advanced)
direnv loads .envrc when you cd into a folder. Powerful — also easy to leak if .envrc is committed. If you use it, add strict team review rules.
6. IDE settings that bite
.vscode/settings.jsonin repo — never put secrets there; they are easy to commit.- Debug
launch.json— use input variables or local-only files gitignored. - AI coding assistants — avoid pasting live keys into prompts; use redacted examples.
7. Rotation cadence that teams can keep
A realistic minimum:
- Onboarding / offboarding — rotate shared dev keys if you used them.
- After any suspected leak — immediate.
- Quarterly — for high-value third parties (cloud admin, payment providers).
Document who owns rotation for each integration.
8. Where PassStore saves time
PassStore is designed for fast access to developer secrets on macOS — workspace grouping, Keychain-backed storage options, encrypted vault at rest (see Security overview). Less hunting through old .env.bak files means fewer “I will just paste this in Slack” moments.