It's super simple to setup and maintain. The only pain-point is how to distribute the private key to new-users. Haven't quite found a super easy way to do that yet. Generally we just airdrop it to the person.
I prefer storing secrets/api tokens in a database.
Runs the risk of leaking secrets via a sql injection exploit though, but if that happens, you're already screwed.
For development, we consider all keys/tokens available to developers as public -- i.e. for authorize.net accounts, those tokens are tied to test accounts.
It's super simple to setup and maintain. The only pain-point is how to distribute the private key to new-users. Haven't quite found a super easy way to do that yet. Generally we just airdrop it to the person.