How to Hide an API Key in Rails and Pass it To Heroku

Kyle Farmer
CodeX
Published in
4 min readAug 6, 2021

In this blog, we will take a look at how to hide public-facing API keys in Rails as well as pass them to a deployed Rails app on Heroku.

Working with an external API can be a great way to create usable and fun applications. For many of the quality external APIs, an authorization key will be required. Even many APIs that are free will require a key. Many APIs will only give you an allotted amount of API calls that you can make each month, otherwise, you will have to pay money to get more. If you are storing your code in any type of online public repo i.e. GitHub, it is of utmost importance that you hide your API key so that no one can steal it from your online repo and use it for themselves. If your app is deployed to Heroku, you will also need to pass Heroku that saved key in order for your project to make the proper calls. Let’s dive in!

The very first thing you will need to get started in this tutorial is a key to your API. The API should have documentation about how to obtain a unique key. Once you have this, the idea is to save it as an environment variable in Rails. Rather than inserting the API key directly into an API call, we will instead use the environment variable that contains the API key. This will allow us to keep the API key a secret in our code.

Rails Gem Dotenv

The next step is to open your Rails project and install the gem 'dotenv-rails' to your gemfile. You can do this by manually adding gem 'dotenv-rails' to your Gemfile and then running $ bundle install in the terminal, or you can simply run $ gem install dotenv in the terminal.

Creating an Environment Variable

After installation is complete, we can pass our unique API key as an environment variable by creating a new file called .env in our project. Let’s make up a name for our key, we’ll call it MY_API_KEY , and let’s pretend our API key is 1234567. Inside the new .env file we can save our API key like so:

MY_API_KEY=1234567 

This variable can be used anywhere in your Rails application as:

ENV[“MY_API_KEY”]

So to use this new variable in an API call in our code, it might look something like this:

key = ENV[“MY_API_KEY”]url = “https://api.rawg.io/api/games/7153?key=#{key}"

.gitignore

The next step is super important. We need to add the .env file to our .gitignore file to ensure that our file contacting our unique API key is not pushed along with our code to any online repository.

If you want others to be able to clone your repo and run your project on their own machine, be sure to include documentation in the readme that they will need to create a new .env file themselves with an environment variable called MY_API_KEY and insert their own key into it.

Passing the API Key to Heroku

Now that our key is being safely used locally and not in danger of being stolen in our online repository, let’s see how we can get it into our deployed code on Heroku.

Prerequisite: I’m assuming you have already deployed a Rails application to Heroku and are somewhat familiar with the Heroku CLI.

Since our .env is in our .gitignore file, it won’t be sent to Heroku when we push our new code containing the environment variable usage. So anywhere in our code that uses ENV[“My_API_KEY”] will not be able to find the value for that variable.

To solve this problem, we can create a Config Var in our deployed Heroku repo.

First, log in to your Heroku account. Next, enter this in the command line:

$ heroku config:set MY_API_KEY=1234567

This should save the API key as a Config Var. To verify the key was saved correctly, we can check with:

$ heroku config:get MY_API_KEY

and we should see 1234567 in the terminal.

Config Vars will be used in your code on Heroku just like the environment variables on your local machine. So it is very important that you give them the same name!

Config Vars can also be passed to Heroku from the Heroku Dashboard’s Settings tab if you prefer to not use the command line method.

That’s it! Keep those API keys safe and happy building!

--

--