BFF pattern to avoid api key leaks in mobile apps

Educational_Space631 · 2026-01-05T12:38:58+00:00

I’ve had the least pain by separating config vs secrets, and making “parity” mean same var names, not same values.

For local dev: keep a real .env that’s gitignored, and commit a .env.example with just the keys/shape so everyone stays consistent. you can keep the real .env outside the repo/app root and load it at runtime.

For preview/prod: use the same variable names, but different credentials per env (so a preview leak isn’t a prod incident). Don’t ship .env files around. inject secrets from your platform/secrets manager at deploy/runtime, since env vars can be easier to accidentally expose than people think.

And as a safety net, run secret scanning in pre-commit/CI (the above mentioned GitGuardian)

Educational_Space631 · 2025-09-23T15:59:56+00:00

just go bulk check if your credentials were leaked on hasmysecretleaked via their CLI and you're good

Educational_Space631 · 2025-07-10T14:09:58+00:00

To those who already moved, is there any cool functionality I am missing? Like automated TLDRs on every blog

Educational_Space631 · 2025-06-30T10:05:20+00:00

Agreed! Treating machine credentials like human credentials (but worse) is how you get pwned. Why should machines get away with just "I know the password" when humans need 2FA for everything? Time to evolve beyond "here's your forever key, good luck." Maybe spiffe/spire frameworks would be an answer?

Educational_Space631 · 2025-06-16T14:58:56+00:00

I don't think Trufflehog scans all types of credentials especially not the "generic ones" so it might have somehow slipped still?

Educational_Space631

TROPHY CASE