Back to Blog
api-keyssecretssecurityaikey-rotation

API Key Restrictions: Why One Shared Key Is a Risk (Simply Explained)

A plain-language guide to API key restrictions. No jargon, no tech speak, just what it means for your business.

By Mike Hodgen

Want the full technical deep dive? Read the detailed version

I Found One Password Doing Six Jobs

Last month I ran a security check across my own projects. I found something I already suspected but had never measured.

I had 10 different digital passwords (the kind of code that lets my software talk to AI services). And I was reusing them everywhere. One single password was being used in six separate projects. Four more were sitting in a plain text file on my computer, unlocked, where anyone with access could read them.

This didn't happen because I'm sloppy. It happened because I'm fast.

When you start a new project and you need access to an AI service, you don't generate a fresh password and carefully lock it down. You grab the one you already have, paste it in, and get back to work. Ten seconds. Done.

That habit is exactly the problem.

Why One Shared Password Can't Be Protected

Think of these passwords like a key to your business. With a good key, you can put rules on it. You can say "this key only opens the front door." Or "this key only works during business hours." Or "this key only works for staff coming from our office."

Those rules live on the key itself. The lock doesn't care who is holding the key. It only checks: does this person follow the rules attached to this key.

Here's the trap. Imagine you hand the same key to four totally different people. A website. A live server running your business. A tool on your laptop. And your home computer.

Each one needs a different rule. The website only works from your web address. The server only works from one fixed location. Your laptop moves around (coffee shop, home, office) so it can never be locked to one location.

These rules fight each other. You cannot lock the key to one location AND let it move around at the same time. So what happens? You give up. You remove all the rules, because that's the only way everyone can keep using the key.

A shared key ends up with zero protection. Not weak protection. None. That's not a mistake. That's just the math. A shared key can't be protected, by definition.

What Happens When That Key Leaks

So now you have a key with no protection, sitting in six projects. And it leaks.

It will leak. Not because you're careless, but because keys end up in places you never planned. A screenshot in a support chat. A note you pasted while troubleshooting with someone. A file that got saved where it shouldn't. I found mine sitting in plain text when I actually went looking.

Here's where it gets bad. Because the key has no rules, whoever finds it can use it from anywhere. They can run up your bill. They can reach every service the key touches. It works for them exactly as well as it works for you.

And the cleanup is brutal. To kill a leaked key, you have to cancel it and replace it. But that one key powers six projects. The second you cancel it, all six stop working unless you've already swapped every single one.

So you're not doing a quick five-minute fix on one project. You're racing to fix six projects at once, under pressure, while a thief is actively using the key you're trying to shut off.

That's the real difference. One protected key per project means a leak is a five-minute fix. One shared key across six projects means a leak is a company-wide fire.

Why "One Key Per Project" Is Also Wrong

The obvious reaction is to swing the other way. Make a separate key for every project. Six projects, six keys. Problem solved, right?

Nope.

The same habit that made you reuse the first key is still in charge. Nobody generates 30 keys and then spends 15 minutes locking down the rules on each one. They generate them, paste them, and move on.

Now you have 30 unprotected keys instead of one. That's worse. Thirty things to track. Thirty things to replace if something goes wrong. Thirty chances to leak. You've multiplied your risk and called it security.

The number of keys is not the point. Whether each key is actually protected is the point.

The Fix: Group Keys By Where They Live

Here's the model I landed on. Instead of one giant key or 30 random ones, I grouped my keys by environment. By where they actually get used.

I ended up with five groups:

  • My laptop and dev work (moves around, never touches the live business)
  • My live servers (fixed location, running real workloads)
  • My public websites (locked to my web addresses)
  • Client work (kept completely separate from my own stuff)
  • Experiments (throwaway keys with strict spending limits, so a runaway test can't cost me much)

Each group gets one key. And because everything in a group has the same needs, I can finally lock that key down tight instead of giving up.

My website key only works from my web addresses. My server key only works from my server's location, with a hard spending cap and an alert that fires the second usage spikes. Every key can only reach the specific services it actually needs. Nothing more.

The fighting-rules problem disappears, because I'm never asking one key to do contradictory things.

The One Rule That Saves You

There's one step here that matters more than anything else. The order you do it in.

Set up every new key and switch each project over to it BEFORE you cancel the old shared one. Never cancel first.

This sounds obvious until you're in the middle of it, feeling productive, and you reach for that cancel button while three projects are still using the old key. Cancel too early and you've created the exact outage you were trying to prevent. The cleanup becomes the disaster.

The safe order is simple. Create the new locked-down keys. Switch each project over one at a time, checking that each one still works. Then, and only then, cancel the old key.

The order is the whole safety net.

When Someone Else Owns This For You

Most businesses don't have this mess because they're careless. They have it because pasting an old key is the easy path, and nobody's job is to track which key reaches what, or what happens when one leaks. So it grows quietly until a scan, or a breach, makes it loud.

I didn't find my own mess by theorizing about it. I found it by actually scanning my projects and counting. Ten keys. One doing six jobs. Four sitting in plain text.

I can do the same for you. Map out where all your keys are, group them sensibly, lock each one down, and switch everything over without breaking anything live. It's always cheaper to find this on purpose than to find it after a leak.

Want to explore what AI could do for your business?

Book a free 30-minute strategy call. No pitch deck, no sales team, just a real conversation about your operations and where AI fits.

Book a Discovery Call

Get AI insights for business leaders

Practical AI strategy from someone who built the systems — not just studied them. No spam, no fluff.

Ready to automate your growth?

Book a free 30-minute strategy call with Hodgen.AI.

Book a Strategy Call