Best Practices for Tavily API Key Safety

Last updated: March 12, 2025

1. Avoid Deploying Your API Key in Client-Side Environments

Never expose your API key in client-side environments such as browsers, mobile apps, or public code repositories. Doing so can allow unauthorized users to misuse your key, leading to unexpected charges and security risks. Instead, route all requests through a secure backend server.

2. Never Commit Your API Key to Source Code Repositories

Committing an API key to a public repository is a common security mistake that can lead to unauthorized access and misuse. Even in private repositories, there is a risk of leaks due to data breaches. To prevent accidental exposure, use environment variables to store your API key securely.

3. Store Your API Key Using Environment Variables

Using environment variables is a secure way to manage your API key without embedding it directly in your code. Here’s how you can set up environment variables:

Windows Setup:

Option 1: Using Command Prompt

setx TAVILY_API_KEY "your-api-key"

This setting applies to future command prompt sessions. To confirm, open a new prompt and run:

echo %TAVILY_API_KEY%

Option 2: Using the Control Panel

  1. Open System Properties and select Advanced system settings.

  2. Click on Environment Variables.

  3. Under User variables, click New and enter:

    • Variable name: TAVILY_API_KEY

    • Variable value: your-api-key

Linux / macOS Setup:

Option 1: Using zsh

echo "export TAVILY_API_KEY='your-api-key'" >> ~/.zshrc
source ~/.zshrc

To confirm:

echo $TAVILY_API_KEY

Option 2: Using bash Follow the same steps but replace .zshrc with .bash_profile.

Now, you can reference your API key in your application:

import os
TAVILY_API_KEY = os.environ.get("TAVILY_API_KEY")

Option 3: Using a .env File in Your Application

You can also store your API key in a .env file to keep it separate from your codebase. Create a .env file in your project directory and add:

TAVILY_API_KEY=your-api-key

Then, load the environment variables in your application:

Python:

from dotenv import load_dotenv
import os

load_dotenv()
TAVILY_API_KEY = os.getenv("TAVILY_API_KEY")

Node.js:

require('dotenv').config();
const TAVILY_API_KEY = process.env.TAVILY_API_KEY;

4. Monitor API Usage and Rotate Keys When Necessary

Regularly monitor your API usage through the Tavily dashboard. If you suspect your key has been compromised, immediately revoke and regenerate a new key from the API Keys page.