Securing the API key
Keep your Anthropic key server-side and out of the browser, git, and the image — the deployment's most important safety rule.
Your ANTHROPIC_API_KEY must live only on the server, as an environment variable. Never put it in front-end code, never commit it to git, never bake it into the Docker image. A leaked key can be used to run up real charges on your account.
The architecture already protects you: the browser talks only to your FastAPI server, and the server talks to Anthropic using the key from its environment. The key never travels to the client. Your job is to keep it that way through deployment.
The safe key path
- Local dev:
export ANTHROPIC_API_KEY=...in your shell (or a.envfile that is git-ignored). The Anthropic SDK reads it automatically. - In git: nothing. Add
.envand*.db(if large) to.gitignore. Grep your repo forsk-ant-before every push. - In production: set the key as a secret environment variable in your hosting platform's dashboard. It's injected at runtime, never stored in your code or image.
# The SDK reads ANTHROPIC_API_KEY from the environment automatically —
# so your code never contains the key string at all.
client = anthropic.Anthropic() # correct
# client = anthropic.Anthropic(api_key="sk-ant-...") # NEVER hardcodeA public agent endpoint costs you money per request. Before sharing widely, add a simple rate limit and consider a lightweight access check (a shared password, or deploy it privately). The semantic layer keeps the data safe; you keep the endpoint from being abused.