IBM API keys are used to authenticate applications that consume IBM Cloud APIs.
If your application interacts with IBM then it requires credentials to access all the resources it needs to function properly. Resources that canbe accessed depend on the permissions granted to the account. These credentials may authenticate a user who has unrestricted access to all resourcesin your account, including billing information.
Recommended Secure Coding Practices
Only administrators should have access to the IBM API keys used by your application.
As a consequence, IBM API keys should not be stored along with the application code as they could be disclosed to a large audience or could be madepublic.
IBM API keys should be stored outside of the code in a file that is never committed to your application code repository.
If possible, a better alternative is to use your cloud provider’s service for managing secrets. On IBM Cloud this service is called Secrets Manager.
When credentials are disclosed in the application code, consider them as compromised and revoke them immediately.
In addition to secure storage, it’s important to apply restrictions to API keys in order to mitigate the impacts whenthey are discovered by malicious actors.