Modern APIs with FastAPI and Python Transcripts
Chapter: Building a realistic API
Lecture: Setting the API key (keeping secrets safe)

Login or purchase this course to watch this video and the rest of the course contents.
0:00 Let's take a minor diversion and just give you a quick warning about putting stuff in
0:05 to GitHub, especially public repo's like this one and how we might go about dealing with this API key.
0:11 There's a bunch of options, I'll show you pretty straightforward and simple one. Have you heard of this? Git, as in secrets in Git? Look at this.
0:18 So if we come over here and you go over to shhgit, this is, a thing that watches GitHub,
0:24 all of GitHub, and you can see it's refreshing here with the various secrets that it's finding. And notice, it's already found seven or eight secrets,
0:34 Django configuration files, AWS access keys, all sorts of horrible, horrible stuff. It's doing this by just hooking into overall public change
0:44 log of GitHub. Something along those lines. You can read about how it works. How terrifying is that? So you really,
0:52 really want to make sure that this does not get into GitHub? What we're gonna do is we're gonna go over here.
0:58 I'm gonna create a file that is going to give us the structure we need, but we're gonna make sure it does not get the secret.
1:05 So it's gonna be settings, we want to a settings dot JSON. We're not gonna put that in to GitHub, so we need an easy way to recreate it.
1:12 We're gonna say template. Okay. And over in the template, it's gonna have two things, an API key, which will be "abc" and a kind of action.
1:25 Let me copy a little bit better description for you. Really all we care about is the API key. But we want something like, Hey,
1:32 copy this to settings.json and make sure it does not get committed in to GitHub. so PyCharm sometimes will automatically add this,
1:39 which means it's a little suspicious. So let me close this. I'm gonna go over and add that file, make sure it's ignored in GitHub,
1:47 Then we'll carry on. Alright, here we are, outside of PyCharm. I'm going to create a copy of it. Call it just settings.json.
1:54 I'm gonna use, I'm a big fan of source tree, so I'm gonna go over to source tree and tell it that this is being ignored in this repo. Here we go.
2:04 Alright, so now it should be safe to go back to PyCharm, and it won't automatically add that to GitHub. Notice it was there for a second
2:12 then it went away. I think it will go back to gray. See this color, this golden color? That means it's ignored in Git. Now, this one is not that color,
2:21 But I'm pretty sure it's gonna be fine. Yeah, There you go. Just needs some change detection.
2:25 So this is ignored and not going to get into shhgit and all the other things and I'm gonna pause the video, put my API key in there,
2:32 you would put yours right there, and then we'll carry on. Alright now, hiding in my settings.json is my API key,
2:40 but we're not gonna talk or worry about that. What I need to do is now configure API keys like this, and that's a thing we gotta write down here.
2:50 And what we're going to do is I'm just gonna do a little bit of standard file io, we're not gonna worry too much about how it works.
2:56 I'm just gonna drop it in here. I'm just going to import pathlib path like so we're gonna import JSON to read the JSON.
3:04 And what I've done is over here in open weather service, I've given it an API key,
3:10 so we could just set that once globally and then use it for all our requests. So back here, change this to API key,
3:18 so it doesn't think it's misspelled. There we go. So we're just gonna set this API key here like that with the value we got out there,
3:24 and off it goes. We're gonna also check that the file exists. So if for some reason it doesn't exist,
3:29 It'll give us a warning, So let's run it. If it starts up okay, Cool. It found the settings.json and it set that API key. Alright, this is one super,
3:39 super simple way to handle having a secret. We just have to copy, create and copy this, like in our production, or whenever we get a new dev machine,
3:47 you could also do it in environmental variables. Sometimes what I'll do is I'll have the settings directly embedded in source code,
3:54 but they're encrypted and I'll just set the encryption key. That way, if there's a whole bunch of different things like mail chimp and stripe
4:01 and digital Ocean and just like all these API keys, You have one setting you have to set up to get your machine ready to go
4:07 and then you can decrypt all of them. But you don't want to put them in there by themselves, as you saw because of the shhgit stuff.
4:17 That's scary. But we definitely, definitely don't want to be part of this little fun happening right here. Alright,
4:24 so now we've got our API key. Again, you have to create an account and get a free account, get the free API key and do the same thing.
4:31 Take the settings_template. json, copy the settings, put your API key in there, you'll be good to go.

Talk Python's Mastodon Michael Kennedy's Mastodon