Skip to main content

What to do if your API key leaks

If you suspect or know that your API key has been leaked (e.g., committed to a public repository, shared in a screenshot, or exposed in client-side code), immediate action is required to protect your account and quota. Follow these steps immediately:
  1. Log in to your account: Go to the Tavily Dashboard.
  2. Revoke the leaked key: Navigate to the API Keys section. Identify the compromised key and delete or revoke it immediately. This will stop any unauthorized usage.
  3. Generate a new key: Create a new API key to replace the compromised one.
  4. Update your applications: Replace the old key with the new one in your environment variables, secrets management systems, and application code.
If you notice any unusual activity or usage spikes associated with the leaked key before you revoked it, please contact support@tavily.com for assistance.

Rotating your API keys

As a general security best practice, we recommend rotating your API keys periodically (e.g., every 90 days). This minimizes the impact if a key is ever compromised without your knowledge.

How to rotate your keys safely

To rotate your keys without downtime:
  1. Generate a new key: Create a new API key in the Tavily Dashboard while keeping the old one active.
  2. Update your application: Deploy your application with the new API key.
  3. Verify functionality: Ensure your application is working correctly with the new key.
  4. Revoke the old key: Once you are confirmed that the new key is in use and everything is functioning as expected, delete the old API key from the dashboard.
Never hardcode API keys in your source code. Always use environment variables or a secure secrets manager to store your credentials.