Don't hardcode API keys! Rotate them regularly & store securely with access control, usage monitoring & encryption. Committing secrets to version control is a major security risk. Educate users on API key handling best practices.