Production Best Practices

API Key Security

Never hardcode keys

Store API keys in environment variables, not in source code:

import os
from openai import OpenAI

# Do this
client = OpenAI(
    base_url="https://api.chuizi.ai/v1",
    api_key=os.environ["CHUIZI_API_KEY"],
)

# Never this
client = OpenAI(
    base_url="https://api.chuizi.ai/v1",
    api_key="ck-abc123...",  # Leaked if committed to git
)

Use separate keys per environment

Create distinct API keys for development, staging, and production. This lets you:

• Revoke a compromised dev key without affecting production.
• Set different rate limits per environment.
• Track usage separately in the dashboard.

Restrict keys

In the dashboard, configure each key with:

• Allowed models: Limit which models the key can access.
• IP whitelist: Restrict to your server IPs.
• Daily spending limit: Cap maximum daily cost.
• RPM limit: Set per-key requests-per-minute.

Rotate keys regularly

Rotate production keys every 90 days. The process:

1. Create a new key in the dashboard.
2. Update your environment variables to the new key.
3. Deploy the change.
4. Verify the new key works in production.
5. Deactivate the old key.

Checklist

Before going to production, verify:

• API keys are stored in environment variables, not source code
• Separate API keys for dev/staging/production
• Client timeout set to >= 120 seconds
• Retry logic with exponential backoff for 429/5xx errors
• max_tokens set on all requests
• Daily spending limit configured on production keys
• Generation IDs logged for every request
• Error responses handled and surfaced to users gracefully
• Streaming enabled for user-facing chat interfaces
• Health check monitoring configured

Next Steps

• Error Handling — retry strategies and error format reference
• API Key Best Practices — detailed key security guidance
• Cost Optimization — reduce costs with caching and model tiering