Ask HN: Best practice for storing API keys securely in a B2B SaaS

[securityquest]

My company builds B2B software that has integrations with other systems. These usually require an API key or similar.

When connecting to these systems, we need the API key as plain text.

What is the best practice for storing integrations API keys?

Storing it as plain text in our DB, might be risky in case our DB is compromised.

Thanks

[lioeters]

API keys are typically stored as environment variables:

https://help.openai.com/en/articles/5112595-best-practices-f...

[ayi]

Deploying them as ENV values and reading from env is the best practice as far as I know. But "deploying" part depends on your infrastructure.

[securityquest]

Do you store them as plaintext in the backend db?

[tedyoung]

Often keys are stored in some sort of secure Key Vault. This is part of the infrastructure, e.g., Azure Key Vault. Or something like https://www.vaultproject.io/docs/secrets