> ## Documentation Index > Fetch the complete documentation index at: https://docs.zelinqa.ai/llms.txt > Use this file to discover all available pages before exploring further. # API Key Safety > Best practices for keeping your NBQ Engine API key secure. Your NBQ Engine API key grants full access to your configuration and usage. Treat it like a password. ## Key facts Every key starts with `nbq_live_` followed by a random string. The key is displayed only at generation. It cannot be retrieved again. You can revoke a key instantly from the NBQ Studio API Keys area. Keys do not expire automatically. Rotate them periodically as a best practice. ## Do and do not * Store the key in an environment variable or secrets manager (AWS Secrets Manager, Doppler, HashiCorp Vault). * Rotate the key when team members with access leave. * Revoke the key immediately if you suspect it has been exposed. * Use the key server-side only — never in frontend or client-side code. * Never hardcode the key in source code. * Never commit the key to GitHub or any version control system, even in a private repository. * Never share the key in Slack, email, or other messaging tools. * Never expose the key in browser developer tools or client-side JavaScript. ## If your key is compromised Go to the NBQ Studio API Keys area and click **Revoke**. The key stops working instantly. Click **Generate Key** to create a replacement. Copy it immediately. Replace the old key in your environment variables or secrets manager and redeploy. Check API usage logs for any unexpected calls made while the key was potentially exposed. Never commit an API key to GitHub, even in a private repository. Use `.gitignore` to exclude `.env` files. If a key was ever committed, revoke it immediately — git history is permanent and may be inspected.