Hey everyone! I’m working on a Discord bot that uses an LLM API. It’s gonna be open-source soon, but I’m worried about API key security.
I thought about asking server owners to use their own API keys. The bot would encrypt the keys before storing them in a database. When needed, it would decrypt them using a secret key from the .env file.
But I’m not sure if this is safe enough. Could someone grab the decrypted key while the bot is running?
Another idea is to use my own paid API key and have a subscription system. But I’d rather avoid that if possible.
What do you think? Any suggestions for keeping API keys safe in a public Discord bot? Thanks for your help!
yo, have u thought about using environment variables? i’ve done that for my bots and it works pretty well. just make sure ur .env file is in ur .gitignore so it doesn’t get pushed to github.
also, u could look into using a secrets manager service. they’re designed for this kinda stuff and can be pretty secure if set up right.
As someone who’s developed a few Discord bots, I can relate to your API key concerns. In my experience, asking server owners to use their own keys can be a hassle and might limit your bot’s adoption. Here’s what worked for me:
I ended up using a proxy server approach. Basically, I set up a small server that acts as a middleman between my bot and the LLM API. The bot sends requests to my proxy, which then forwards them to the actual API using the key stored securely on the server.
This way, the API key never leaves my control, and it’s not exposed in the bot’s code. It also gives me more flexibility to implement rate limiting and usage tracking if needed.
It does require a bit more setup, but I found it to be a good balance between security and ease of use for end users. Just make sure to properly secure your proxy server and use HTTPS for all communications.
I’ve faced similar challenges with API key protection in my projects. One approach that’s worked well is implementing a token system. Instead of directly using API keys, your bot can generate short-lived tokens for each server.
Here’s how it could work: When a server needs to make an API call, the bot requests a token from your secure backend. This token is valid for a limited time and can be restricted to specific operations. Your backend then handles the actual API calls using the real key.
This method adds an extra layer of security and gives you more control over usage. It’s more complex to set up initially, but it’s saved me a lot of headaches in the long run. Plus, it scales well if you decide to implement paid tiers later.
Remember to use strong encryption for any stored data and HTTPS for all communications. Good luck with your project!