Chuizi.AI
Chuizi.AI

API Key Security Best Practices

Your API key is the credential for accessing all Chuizi.AI services. If compromised, others can use your balance to make API calls. Follow these practices to keep your keys secure.

Key Format

Chuizi.AI API keys use the format ck- prefix followed by 32 alphanumeric characters, totaling 35 characters. Example:

ck-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Keys are displayed only once at creation and cannot be recovered afterward. Save your key securely immediately after creation.

Never Hardcode Keys

Never embed API keys directly in source code:

example.py
python
# Wrong
client = OpenAI(api_key="ck-your-key-here")

# Correct
import os
client = OpenAI(api_key=os.environ["CHUIZI_API_KEY"])

If your repository is public, a hardcoded key is exposed immediately. Even in private repositories, avoid including credentials in code.

Use Environment Variables

Store keys in environment variables or .env files:

terminal
bash
# ~/.zshrc or ~/.bashrc
export CHUIZI_API_KEY=ck-your-key-here

# Or in a .env file at your project root
CHUIZI_API_KEY=ck-your-key-here

Make sure .env files are in your .gitignore:

# .gitignore
.env
.env.local
.env.*.local

Least Privilege

When creating a key, restrict its permissions:

  • Limit allowed models: Use the allowed_models field to restrict which models the key can access. For example, allow only anthropic/claude-sonnet-4-6 instead of all models.
  • Set an IP whitelist: Use ip_whitelist to restrict the key to specific IP addresses. Ideal for server-side deployments with static IPs.
  • Set a daily limit: Use daily_limit to cap daily spend. Even if the key leaks, the damage is bounded.
  • Set rate limits: Use rpm_limit to cap requests per minute.

Regular Rotation

Rotate your API keys every 90 days:

  1. Create a new key in the Dashboard
  2. Update all environment variables and configurations that use the old key
  3. Verify the new key works correctly
  4. Deactivate the old key in the Dashboard

During rotation, both keys can be active simultaneously for a zero-downtime transition.

Team Usage

When using Chuizi.AI in a team:

  • Separate keys per person or project: Makes tracking usage and auditing straightforward
  • Never share keys: Avoid multiple people using the same key
  • Offboarding: Deactivate a team member's key immediately when they leave
  • Use key groups: Categorize keys with the group field (e.g., production, staging, personal)

Monitor for Anomalies

Check your usage regularly in the Dashboard:

  • Usage spikes: A sudden increase in token consumption may indicate a leaked key
  • Unexpected models: Calls to models you do not use suggest the key is compromised
  • Off-hours activity: High request volumes outside working hours warrant investigation

Responding to a Leak

If you suspect a key has been compromised, act immediately:

  1. Log in to the Dashboard and deactivate the compromised key
  2. Create a new key and update all configurations
  3. Review the usage history of the compromised key for unauthorized activity
  4. If you find unauthorized charges, contact support@chuizi.ai

Once a key is deactivated, all requests using it immediately return 401 Unauthorized. For the full key specification, see API Key Format.

Next Steps

  • API Key Format — Key structure, storage, and management reference
  • Data Handling — How Chuizi.AI handles your data and API key hashes
  • Sign Up — Create an account and generate your first API key
API Key Security Best Practices — Chuizi AI Docs | Chuizi AI