Do I need to secure my API key when I push to GitHub?

Question

I am trying to use the Movie Database API to populate a simple Python data structure project for a class I am taking. I am a programming beginner, and have never tried to use an API before.

I have been supplied two things:

1) API Key (V3 Auth)

2) API Read Access Token (v4 auth)

Auth Documentation | v4 Auth Documentation

First of all, what is the difference between these two? I am able to successfully query for what I need using the API key - what would #2 be used for in an actual product?

When I go to turn in my project on GitHub, do I need to worry about the API key being visible? From my understanding, in some API's the key gives total account access, but some keys can be safely displayed on the client's end without worry.

Is this correct? What about in my case - do Movie Database API keys need to be kept secure?

How would I do so assuming I have to turn in the finished project on GitHub?

Answer 1

yes its a professional thing to make them private as its your property when you associate your account with the API so you have to make that private.

Answer 2

I took a look at the documentation, and did not see anything about API keys or v3 vs. v4.

I would try the examples using each API key (and find out where it goes!), and just use the one that works.

You are correct, that it's probably not a good idea to commit your API keys (or any secret) to Git, or store them in your code. One common pattern is to store them in the server config, or even an file on your computer that is not in the Git repo. You can add the file to .gitignore to keep it out of the repo.