Forem: Alexey Babenko The latest articles on Forem by Alexey Babenko (@viiloyo). https://forem.com/viiloyo https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3820469%2Fb7a7f809-dbcc-43d1-a249-b91d2b42d1f2.jpg Forem: Alexey Babenko https://forem.com/viiloyo en How to Securely Store and Use API Keys in Laravel in 2026 Alexey Babenko Thu, 12 Mar 2026 13:54:26 +0000 https://forem.com/viiloyo/how-to-securely-store-and-use-api-keys-in-laravel-in-2026-5d26 https://forem.com/viiloyo/how-to-securely-store-and-use-api-keys-in-laravel-in-2026-5d26 <p>In 2026, almost every Laravel project integrates 3–10 external APIs: OpenAI, Stripe, Telegram, AWS S3, Resend, Brevo, and so on. </p> <p>Yet most key leaks happen <strong>not because of sophisticated attacks</strong>, but due to silly mistakes: committing to git, logging them, sending them to the frontend, or calling <code>env()</code> in production after <code>config:cache</code>.</p> <p>Today we’ll walk through a battle-tested path — from “it just works” to “I sleep peacefully”.</p> <h2> 1. Basic (but already correct) level — .env + config </h2> <p>Never hard-code keys in your source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// ❌ Bad</span> <span class="nv">$openai</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">OpenAI</span><span class="p">(</span><span class="s1">'sk-123...'</span><span class="p">);</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// ✅ Good</span> <span class="c1"># .env</span> <span class="no">OPENAI_API_KEY</span><span class="o">=</span><span class="n">sk</span><span class="o">-...</span> <span class="no">STRIPE_SECRET_KEY</span><span class="o">=</span><span class="n">sk_live_</span><span class="mf">...</span> <span class="c1">// config/services.php</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'openai'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'api_key'</span> <span class="o">=&gt;</span> <span class="nf">env</span><span class="p">(</span><span class="s1">'OPENAI_API_KEY'</span><span class="p">),</span> <span class="s1">'organization'</span> <span class="o">=&gt;</span> <span class="nf">env</span><span class="p">(</span><span class="s1">'OPENAI_ORG'</span><span class="p">),</span> <span class="p">],</span> <span class="s1">'stripe'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'key'</span> <span class="o">=&gt;</span> <span class="nf">env</span><span class="p">(</span><span class="s1">'STRIPE_KEY'</span><span class="p">),</span> <span class="s1">'secret'</span> <span class="o">=&gt;</span> <span class="nf">env</span><span class="p">(</span><span class="s1">'STRIPE_SECRET_KEY'</span><span class="p">),</span> <span class="p">],</span> <span class="p">];</span> </code></pre> </div> <p>Usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$key</span> <span class="o">=</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'services.openai.api_key'</span><span class="p">);</span> <span class="c1">// or with type safety (Laravel 11+)</span> <span class="nv">$key</span> <span class="o">=</span> <span class="nc">Config</span><span class="o">::</span><span class="nf">string</span><span class="p">(</span><span class="s1">'services.openai.api_key'</span><span class="p">);</span> </code></pre> </div> <p>Why is config better than <code>env()</code> everywhere?</p> <p>After php artisan config:cache, any <code>env()</code> call outside config files returns null.<br> That’s why every <code>env()</code> should live only inside <code>config/*.php</code> files.</p> <p>Golden rule:</p> <p><code>env()</code> — only in config files.<br> Everywhere else — <code>config('path.to.key')</code>.</p> <h2> 2. Middle level: type-safe configs + DTO </h2> <p>A plain string is fragile. Let’s make it strongly typed.<br> Create a value object:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// app/Config/OpenAiConfig.php</span> <span class="k">final</span> <span class="k">readonly</span> <span class="kd">class</span> <span class="nc">OpenAiConfig</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">__construct</span><span class="p">(</span> <span class="k">public</span> <span class="kt">string</span> <span class="nv">$apiKey</span><span class="p">,</span> <span class="k">public</span> <span class="kt">?string</span> <span class="nv">$organization</span> <span class="o">=</span> <span class="kc">null</span><span class="p">,</span> <span class="k">public</span> <span class="kt">string</span> <span class="nv">$baseUrl</span> <span class="o">=</span> <span class="s1">'https://api.openai.com/v1'</span><span class="p">,</span> <span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="k">empty</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">apiKey</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">RuntimeException</span><span class="p">(</span><span class="s1">'OpenAI API key is missing'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="n">make</span><span class="p">():</span> <span class="kt">self</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">self</span><span class="p">(</span> <span class="n">apiKey</span><span class="o">:</span> <span class="nc">Config</span><span class="o">::</span><span class="nf">string</span><span class="p">(</span><span class="s1">'services.openai.api_key'</span><span class="p">),</span> <span class="n">organization</span><span class="o">:</span> <span class="nc">Config</span><span class="o">::</span><span class="nf">string</span><span class="p">(</span><span class="s1">'services.openai.organization'</span><span class="p">,</span> <span class="kc">null</span><span class="p">),</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Register it as a singleton:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// app/Providers/AppServiceProvider.php</span> <span class="k">public</span> <span class="k">function</span> <span class="n">register</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">app</span><span class="o">-&gt;</span><span class="nf">singleton</span><span class="p">(</span><span class="nc">OpenAiConfig</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nc">OpenAiConfig</span><span class="o">::</span><span class="nf">make</span><span class="p">());</span> <span class="p">}</span> </code></pre> </div> <p>Usage anywhere:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$openai</span> <span class="o">=</span> <span class="nf">app</span><span class="p">(</span><span class="nc">OpenAiConfig</span><span class="o">::</span><span class="n">class</span><span class="p">);</span> <span class="nv">$client</span> <span class="o">=</span> <span class="nc">OpenAI</span><span class="o">::</span><span class="nf">client</span><span class="p">(</span><span class="nv">$openai</span><span class="o">-&gt;</span><span class="n">apiKey</span><span class="p">,</span> <span class="nv">$openai</span><span class="o">-&gt;</span><span class="n">organization</span><span class="p">);</span> </code></pre> </div> <p>Benefits:</p> <ul> <li>IDE autocompletion for fields</li> <li>Fail fast at boot — not in production three days later</li> <li>Easy to mock / test</li> </ul> <h2> 3. Zero-downtime key rotation </h2> <p>API providers (OpenAI, Anthropic, Stripe, AWS) recommend rotating keys every 90 days.<br> But simply replacing the key in .env → every request fails until the next deploy.</p> <p>Simple fallback approach:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1"># .env</span> <span class="no">OPENAI_API_KEY_CURRENT</span><span class="o">=</span><span class="n">sk</span><span class="o">-</span><span class="n">abc123</span><span class="mf">...</span> <span class="no">OPENAI_API_KEY_OLD</span><span class="o">=</span><span class="n">sk</span><span class="o">-</span><span class="n">oldkey</span><span class="mf">...</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// app/Services/OpenAiService.php</span> <span class="kd">class</span> <span class="nc">OpenAiService</span> <span class="p">{</span> <span class="k">private</span> <span class="kt">array</span> <span class="nv">$keys</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">__construct</span><span class="p">()</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">keys</span> <span class="o">=</span> <span class="p">[</span> <span class="nc">Config</span><span class="o">::</span><span class="nf">string</span><span class="p">(</span><span class="s1">'services.openai.api_key_current'</span><span class="p">),</span> <span class="nc">Config</span><span class="o">::</span><span class="nf">string</span><span class="p">(</span><span class="s1">'services.openai.api_key_old'</span><span class="p">,</span> <span class="kc">null</span><span class="p">),</span> <span class="p">];</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">client</span><span class="p">():</span> <span class="nc">\OpenAI\Client</span> <span class="p">{</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">keys</span> <span class="k">as</span> <span class="nv">$key</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$key</span> <span class="o">===</span> <span class="kc">null</span><span class="p">)</span> <span class="k">continue</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="nv">$client</span> <span class="o">=</span> <span class="nc">OpenAI</span><span class="o">::</span><span class="nf">client</span><span class="p">(</span><span class="nv">$key</span><span class="p">);</span> <span class="nv">$client</span><span class="o">-&gt;</span><span class="nf">models</span><span class="p">()</span><span class="o">-&gt;</span><span class="k">list</span><span class="p">();</span> <span class="c1">// quick validation</span> <span class="k">return</span> <span class="nv">$client</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nc">\Exception</span> <span class="nv">$e</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// log and try next</span> <span class="p">}</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">RuntimeException</span><span class="p">(</span><span class="s1">'All OpenAI keys failed'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Even better — grace period (like AWS / Laravel encryption):</p> <ol> <li>Add new key as CURRENT</li> <li>Keep old one as FALLBACK_1, FALLBACK_2…</li> <li>Remove old key 1–2 hours later (or after deploy)</li> </ol> <p>For automatic rotation, consider packages like laravel-locksmith (zero-downtime rotation with AWS secrets / other providers).</p> <h2> 4. Production-only enhancements </h2> <p>Health check for API keys<br> Add a <code>/health</code> (or <code>/up</code>) route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// routes/health.php</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'/health/api-keys'</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$status</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'openai'</span> <span class="o">=&gt;</span> <span class="nc">Config</span><span class="o">::</span><span class="nf">string</span><span class="p">(</span><span class="s1">'services.openai.api_key'</span><span class="p">)</span> <span class="o">?</span> <span class="s1">'OK'</span> <span class="o">:</span> <span class="s1">'MISSING'</span><span class="p">,</span> <span class="s1">'stripe'</span> <span class="o">=&gt;</span> <span class="nc">Config</span><span class="o">::</span><span class="nf">string</span><span class="p">(</span><span class="s1">'services.stripe.secret'</span><span class="p">)</span> <span class="o">?</span> <span class="s1">'OK'</span> <span class="o">:</span> <span class="s1">'MISSING'</span><span class="p">,</span> <span class="c1">// ...</span> <span class="p">];</span> <span class="nv">$missing</span> <span class="o">=</span> <span class="nb">array_keys</span><span class="p">(</span><span class="nb">array_filter</span><span class="p">(</span><span class="nv">$status</span><span class="p">,</span> <span class="k">fn</span><span class="p">(</span><span class="nv">$v</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$v</span> <span class="o">===</span> <span class="s1">'MISSING'</span><span class="p">));</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$missing</span><span class="p">)</span> <span class="p">{</span> <span class="nf">abort</span><span class="p">(</span><span class="mi">500</span><span class="p">,</span> <span class="s1">'Missing API keys: '</span> <span class="mf">.</span> <span class="nb">implode</span><span class="p">(</span><span class="s1">', '</span><span class="p">,</span> <span class="nv">$missing</span><span class="p">));</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span> <span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="s1">'healthy'</span><span class="p">,</span> <span class="s1">'checked_keys'</span> <span class="o">=&gt;</span> <span class="nv">$status</span><span class="p">,</span> <span class="p">]);</span> <span class="p">})</span><span class="o">-&gt;</span><span class="nf">name</span><span class="p">(</span><span class="s1">'health.api-keys'</span><span class="p">);</span> </code></pre> </div> <p>Kubernetes, Laravel Forge, Ploi can monitor this endpoint.</p> <h3> Laravel Pennant + feature flags </h3> <p>Temporarily disable a key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">Pennant</span><span class="o">::</span><span class="nb">define</span><span class="p">(</span><span class="s1">'openai-enabled'</span><span class="p">,</span> <span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">env</span><span class="p">(</span><span class="s1">'OPENAI_ENABLED'</span><span class="p">,</span> <span class="kc">true</span><span class="p">));</span> <span class="k">if</span> <span class="p">(</span><span class="nc">Pennant</span><span class="o">::</span><span class="nf">active</span><span class="p">(</span><span class="s1">'openai-enabled'</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// use it</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// fallback / mock</span> <span class="p">}</span> </code></pre> </div> <h2> 5. Anti-patterns of 2026 (don’t do this) </h2> <ul> <li> <code>env('KEY')</code> in controllers/services after <code>config:cache</code> </li> <li>Storing keys in database without encryption (<code>encrypt()</code> / <code>Crypt::</code>)</li> <li>Committing .env to git</li> <li>Sending keys to frontend (even via VITE_ env)</li> <li>Ignoring 429 / invalid key errors without fallback</li> <li>Using the same key across all environments</li> </ul> <h2> Pre-deploy checklist </h2> <ol> <li>All keys are in .env — .env is not in git</li> <li> <code>env()</code> calls exist only in <code>config/*.php</code> </li> <li> <code>php artisan config:cache</code> is running in production</li> <li>You’re using <code>Config::string()</code> / typed config methods</li> <li>DTO / singleton exists for each service</li> <li>Fallback or rotation is implemented</li> <li> <code>/health</code> route checks API keys</li> <li>No keys appear in logs (check <code>config/logging.php</code>)</li> </ol> <p>Go check your projects right now — one missing key can cost you a fortune.<br> How do you store and rotate API keys?<br> Share your approaches in the comments — maybe you have an even cleaner solution!<br> If you found this useful — give it a ❤️ and save for later.<br> Secure deploys! 🔐</p> laravel php security