API keys are created in Settings.

Each key should be named in a way that tells you which external system or environment uses it.

The raw key is shown only once, so capture it immediately when it is created.

Treat API keys like secrets, not like identifiers.

Store them in environment variables, a secret manager, or equivalent secure infrastructure.

Avoid pasting them into code, screenshots, or shared notes.

If a key is no longer needed, revoke it from Settings.

After revocation, update or remove the corresponding key in the external system that used it.

A revoked key should be considered permanently unusable and replaced rather than reused.