Security Best Practices

• Never expose API keys in client-side code
• Create a separate key for each project
• Enable IP allowlists
• Set daily budgets
• Rotate keys immediately after abnormal usage