From 462c314ec162fef547d05a758aec062436e80c88 Mon Sep 17 00:00:00 2001
From: Waren Gonzaga <opensource@warengonzaga.com>
Date: Thu, 26 Feb 2026 12:37:27 +0800
Subject: [PATCH] Add API key security guidance to rate limits documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 references/api/api-keys.mdx | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/references/api/api-keys.mdx b/references/api/api-keys.mdx
index 479123f..72c18a5 100644
--- a/references/api/api-keys.mdx
+++ b/references/api/api-keys.mdx
@@ -102,4 +102,19 @@ createClient({
   ...
   //other parameters
 });
-```
\ No newline at end of file
+```
+
+## Keeping Your API Key Secure
+
+Your API key is sensitive — treat it like a password. It is tied to your account, controls your rate limits, and all requests made with it are attributed to you.
+
+<Warning>
+If your API key is leaked, unauthorized parties could consume your rate limits or make requests on your behalf. Contact us immediately if you suspect your key has been compromised and we will rotate it for you.
+</Warning>
+
+**Best practices:**
+
+- **Keep it server-side only** — never expose it in client-side or frontend code. Use a [proxy API](#proxy-api) if calling Relay from the browser.
+- **Use environment variables** — store your key in environment variables, not hardcoded in source code.
+- **Don't commit it to version control** — add it to `.gitignore` or use a secrets manager.
+- **Restrict access** — only share the key with team members who need it.
\ No newline at end of file