Codistry LogoCodistry
TracksGuided Small Projects With AI AssistanceProject One: CLI ScriptHandling Secrets and Configuration(6 of 9)

Handling Secrets and Configuration

Your API key is a secret. If someone gets it, they can make requests as you — potentially running up charges or accessing your data. Proper secret handling isn't paranoia; it's professional practice that prevents real problems.

Why Secrets Must Stay Out of Code

Imagine you commit code with your API key hardcoded, then push to GitHub. That key is now public, searchable, and permanently in Git history. Bots actively scan public repositories for exposed credentials. Your key could be compromised within minutes.

The solution: never put secrets in code. Load them from the environment instead.

Using Environment Variables

Python's os module reads environment variables:

import os

api_key = os.environ.get('ALPHA_VANTAGE_API_KEY')
if not api_key:
    raise ValueError(
        "Missing ALPHA_VANTAGE_API_KEY. "
        "Set it in your environment or .env file."
    )

The get method returns None if the variable doesn't exist, letting you provide a helpful error message instead of a cryptic crash.

Local Development With .env Files

Setting environment variables manually is tedious. The python-dotenv package loads them from a .env file automatically:

from dotenv import load_dotenv
load_dotenv()  # Load variables from .env file

api_key = os.environ.get('ALPHA_VANTAGE_API_KEY')

Your .env file contains the actual values:

ALPHA_VANTAGE_API_KEY=your_actual_key_here

This file stays on your machine. It never gets committed because your .gitignore excludes it:

.env

Configuration Beyond Secrets

Environment variables work for any configuration that might change between environments. Your development machine might use a test API endpoint, while production uses the real one:

API_BASE_URL=https://www.alphavantage.co/query
REQUEST_TIMEOUT=30

Separating configuration from code means you can change behavior without editing source files.

Production Secret Management

For deployed applications, environment variables still work, but you'll often use dedicated tools like AWS Secrets Manager, HashiCorp Vault, or Doppler. These provide encryption, access control, and audit logs. For now, .env files are perfect for learning — just remember they're a stepping stone to more robust solutions.

See More

Further Reading

Next

Adding CLI Arguments

Last updated December 13, 2025

You need to be signed in to leave a comment and join the discussion