GeekHub Learn
Module
Learn/AI and LLMs for Beginners/Building with LLMs/Lesson 5.2
Lesson 5.22 of 8 in this module2 min read Module 5: Using AI APIs (OpenAI, Gemini, Anthropic)

Setup: keys, env vars, .gitignore, virtual envs

The single most expensive beginner mistake in AI is committing an API key to GitHub. Bots scan within minutes. Bills hit within hours. This lesson prevents that.

API keys are house keys. You do not tape them to your front door. You do not paste them in a public chat. You do not push them to GitHub.

The safe setup pattern:

  1. Generate an API key from the provider dashboard.
  2. Store it in a local .env file.
  3. Add .env to .gitignore BEFORE the first commit.
  4. Load it via python-dotenv or os.environ.
  5. Rotate keys quarterly.
  6. Use spending limits in the provider dashboard.

.env file (never commit):

OPENAI_API_KEY=sk-...
GEMINI_API_KEY=...
ANTHROPIC_API_KEY=sk-ant-...

.gitignore (commit this):

.env
__pycache__/
*.pyc
.venv/

Loader code:

from dotenv import load_dotenv
import os
load_dotenv()
key = os.environ["OPENAI_API_KEY"]

Virtual env setup:

python -m venv .venv
source .venv/bin/activate    # Mac/Linux
.venv\Scripts\activate       # Windows
pip install openai python-dotenv

Visualize it

A 4-box "safe key flow" diagram: provider dashboard -> .env -> .gitignore protects it -> code loads via env var.

Try it now

Create your first OpenAI key at platform.openai.com/api-keys. Set a $5 monthly hard limit. (You will rarely exceed $2 in this course.)

Hands-on lab

Set up a Python project with .env, .gitignore, and a requirements.txt. Push a clean repo to GitHub. Verify .env is not in the repo.

Try it now

What would you do if you accidentally committed a key?

Common mistakes

  • Hard-coding the key string in .py files
  • Forgetting .gitignore before the first commit
  • Sharing keys across personal and work projects

Debugging tip

If you ever accidentally commit a key, rotate it immediately at the provider dashboard. GitHub history is forever. The only fix is invalidate.

Challenge

Add monthly spending limits on all three providers (OpenAI, Google, Anthropic). Screenshot proof for yourself.

Where this shows up

  • All production AI apps
  • Personal projects pushed to GitHub
  • Tutorials and demos

From the field

Reputable companies use secret managers (AWS Secrets Manager, GCP Secret Manager, Doppler) in production. For learning, env vars are enough. Promote later.

Recap

Keys in .env, .env in .gitignore, spending caps on, virtual envs for project isolation. This is your baseline forever.

Quick recall

3 prompts · think before you flip

Prompt 1 of 3

Why use `.env` instead of hard-coding?

Quiz time

1 question · tap an answer to check it

  1. 1. If you commit an API key by accident, the first move is

Finished lesson 5.2?

Mark complete to update your module progress and unlock the streak.

Loading