Limit the permissions of your credentials
When creating an API key or OAuth 2.0 access token, only select the minimum grants or scopes needed, and set an expiration date for the minimum amount of time you'll need to use the token.
Store your authentication credentials securely
Treat authentication credentials the same way you would treat your passwords or other sensitive credentials
- Don't share authentication credentials using an unencrypted messaging or email system.
- Don't pass your access tokens as plain text in the command line.
- Don't push unencrypted authentication credentials like tokens or keys to any repository, even if the repository is private.
Limit who can access your authentication credentials
Don't share your access tokens with others.
If you need to share credentials with a team, store the credentials in a secure shared system.