{"id":174,"date":"2025-08-26T14:41:51","date_gmt":"2025-08-26T14:41:51","guid":{"rendered":"https:\/\/1v0.net\/blog\/?p=174"},"modified":"2025-08-26T14:41:53","modified_gmt":"2025-08-26T14:41:53","slug":"best-practices-for-storing-api-keys-securely-in-laravel","status":"publish","type":"post","link":"https:\/\/1v0.net\/blog\/best-practices-for-storing-api-keys-securely-in-laravel\/","title":{"rendered":"Best Practices for Storing API Keys Securely in Laravel"},"content":{"rendered":"\n

Hardcoding secrets in code or committing them to Git is a fast way to leak credentials. In this guide, you\u2019ll learn how to store API keys securely in Laravel 12<\/strong> using environment variables, configuration, optional encrypted database storage with an admin UI, and (optionally) cloud secret managers. Every step includes code and explanations so beginners can implement it safely.<\/p>\n\n\n\n

By the end, you\u2019ll be able to: keep secrets out of source control, load them via config()<\/code> (not env()<\/code>) in app code, optionally encrypt them at rest in your database with a simple settings UI, and understand when to adopt a managed secret store in production.<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/div>\n\n\n\n

1 – Core Principles (Read This First)<\/strong><\/h2>\n\n\n\n

<\/p>\n\n\n\n

    \n
  • Never commit secrets to Git<\/strong> (including private repos). Use .env<\/code> or secret managers.<\/li>\n
  • Read secrets via config()<\/code><\/strong> in application code. Avoid calling env()<\/code> outside config files.<\/li>\n
  • Limit exposure<\/strong>: only inject the secrets you actually need in each environment.<\/li>\n
  • Rotate regularly<\/strong>, log access, and never print secrets in logs<\/strong>.<\/li>\n<\/ul>\n\n\n\n

    <\/p>\n\n\n\n\n

    <\/div>\n\n\n\n\n

    2 – Put secrets in .env<\/code>, read them from config\/services.php<\/code><\/strong><\/h2>\n\n\n\n

    <\/p>\n\n\n

    # .env<\/span>\nMAILGUN_API_KEY=your-mailgun-key\nSTRIPE_SECRET=sk_live_xxx\nTHIRD_PARTY_MAPS_KEY=maps-xxx<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    Expose them to your app via configuration so you can safely call config()<\/code> everywhere else:<\/p>\n\n\n
    \/\/ config\/services.php<\/span>\n<\/span><\/span>return<\/span> [\n<\/span><\/span>    'mailgun'<\/span> => [\n<\/span><\/span>        'key'<\/span> => env('MAILGUN_API_KEY'<\/span>),\n<\/span><\/span>    ],\n<\/span><\/span>    'stripe'<\/span> => [\n<\/span><\/span>        'secret'<\/span> => env('STRIPE_SECRET'<\/span>),\n<\/span><\/span>    ],\n<\/span><\/span>    'maps'<\/span> => [\n<\/span><\/span>        'key'<\/span> => env('THIRD_PARTY_MAPS_KEY'<\/span>),\n<\/span><\/span>    ],\n<\/span><\/span>];\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    In your controllers\/services, reference config('services.mailgun.key')<\/code> (not env()<\/code>). This keeps production fast and predictable when you run php artisan config:cache<\/code>.<\/p>\n\n\n
    php artisan config:cache<\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n\n
    <\/p>\n\n\n\n\n
    <\/div>\n\n\n\n\n
    3 – Use secrets in code (safely)<\/strong><\/h2>\n\n\n\n
    Fetch secrets via config()<\/code> and never log or echo them:<\/p>\n\n\n
    \/\/ app\/Services\/EmailService.php<\/span>\nnamespace<\/span> App<\/span>\\Services<\/span>;\n\nuse<\/span> Illuminate<\/span>\\Support<\/span>\\Facades<\/span>\\Http<\/span>;\n\nclass<\/span> EmailService<\/span>\n<\/span>{\n    public<\/span> function<\/span> sendTransactional<\/span>($to, $subject, $html)<\/span>\n    <\/span>{\n        $key = config('services.mailgun.key'<\/span>); \/\/ do not use env() here<\/span>\n\n        return<\/span> Http::withToken($key)\n            ->post('https:\/\/api.mailgun.net\/v3\/your-domain\/messages'<\/span>, [\n                'to'<\/span> => $to,\n                'subject'<\/span> => $subject,\n                'html'<\/span> => $html,\n            ]);\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    Keep secrets out of debug pages and logs: don\u2019t dump $key<\/code>, don\u2019t include it in exceptions.<\/p>\n\n\n\n
    <\/p>\n\n\n\n\n\n
    <\/div>\n\n\n\n
    4 – Optional: Encrypt secrets at rest in your database (with an Admin UI)<\/strong><\/h2>\n\n\n\n
    <\/p>\n\n\n\n
    \n
    Why do this?<\/strong> If non-technical admins need to update API keys without SSH access, store them in a small app_settings<\/code> table encrypted at rest<\/em>, exposed via a protected settings page. This approach complements (not replaces) .env<\/code> for certain keys.<\/p>\n<\/blockquote>\n\n\n\n
    Create the table:<\/p>\n\n\n
    php artisan make:migration create_app_settings_table<\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n
    \/\/ database\/migrations\/xxxx_xx_xx_create_app_settings_table.php<\/span>\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Database<\/span>\\Migrations<\/span>\\Migration<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Database<\/span>\\Schema<\/span>\\Blueprint<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Support<\/span>\\Facades<\/span>\\Schema<\/span>;\n<\/span><\/span>\n<\/span><\/span>return<\/span> new<\/span> class<\/span> extends<\/span> Migration<\/span> <\/span>{\n<\/span><\/span>  public<\/span> function<\/span> up<\/span>()<\/span>: void<\/span> <\/span>{\n<\/span><\/span>    Schema::create('app_settings'<\/span>, function<\/span> (Blueprint $table)<\/span> <\/span>{\n<\/span><\/span>      $table->id();\n<\/span><\/span>      $table->string('key'<\/span>)->unique();\n<\/span><\/span>      $table->text('value'<\/span>);   \/\/ encrypted blob<\/span>\n<\/span><\/span>      $table->timestamps();\n<\/span><\/span>    });\n<\/span><\/span>  }\n<\/span><\/span>  public<\/span> function<\/span> down<\/span>()<\/span>: void<\/span> <\/span>{\n<\/span><\/span>    Schema::dropIfExists('app_settings'<\/span>);\n<\/span><\/span>  }\n<\/span><\/span>};\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    Model with transparent encryption\/decryption:<\/p>\n\n\n
    \/\/ app\/Models\/AppSetting.php<\/span>\n<\/span><\/span>namespace<\/span> App<\/span>\\Models<\/span>;\n<\/span><\/span>\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Database<\/span>\\Eloquent<\/span>\\Model<\/span>;\n<\/span><\/span>\n<\/span><\/span>class<\/span> AppSetting<\/span> extends<\/span> Model<\/span><\/span>\n<\/span><\/span><\/span>{\n<\/span><\/span>    protected<\/span> $fillable = ['key'<\/span>,'value'<\/span>];\n<\/span><\/span>\n<\/span><\/span>    public<\/span> function<\/span> setValueAttribute<\/span>($val)<\/span><\/span>\n<\/span><\/span>    <\/span>{\n<\/span><\/span>        $this<\/span>->attributes['value'<\/span>] = encrypt($val);\n<\/span><\/span>    }\n<\/span><\/span>    public<\/span> function<\/span> getValueAttribute<\/span>($val)<\/span><\/span>\n<\/span><\/span>    <\/span>{\n<\/span><\/span>        return<\/span> decrypt($val);\n<\/span><\/span>    }\n<\/span><\/span>}\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    Routes + controller (lock behind Admin role):<\/p>\n\n\n
    \/\/ routes\/web.php<\/span>\n<\/span><\/span>use<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Admin<\/span>\\SettingsController<\/span>;\n<\/span><\/span>\n<\/span><\/span>Route::middleware(['auth'<\/span>,'role:Admin'<\/span>])->group(function<\/span> ()<\/span> <\/span>{\n<\/span><\/span>  Route::get('\/admin\/settings'<\/span>, [SettingsController::class,'edit'<\/span>])->name('admin.settings.edit'<\/span>);\n<\/span><\/span>  Route::post('\/admin\/settings'<\/span>, [SettingsController::class,'update'<\/span>])->name('admin.settings.update'<\/span>);\n<\/span><\/span>});\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n
    \/\/ app\/Http\/Controllers\/Admin\/SettingsController.php<\/span>\n<\/span><\/span>namespace<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Admin<\/span>;\n<\/span><\/span>\n<\/span><\/span>use<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Controller<\/span>;\n<\/span><\/span>use<\/span> App<\/span>\\Models<\/span>\\AppSetting<\/span>;\n<\/span><\/span>use<\/span> Illuminate<\/span>\\Http<\/span>\\Request<\/span>;\n<\/span><\/span>\n<\/span><\/span>class<\/span> SettingsController<\/span> extends<\/span> Controller<\/span><\/span>\n<\/span><\/span><\/span>{\n<\/span><\/span>    public<\/span> function<\/span> edit<\/span>()<\/span><\/span>\n<\/span><\/span>    <\/span>{\n<\/span><\/span>        $mailgun = AppSetting::firstWhere('key'<\/span>,'mailgun_key'<\/span>)?->value;\n<\/span><\/span>        $stripe  = AppSetting::firstWhere('key'<\/span>,'stripe_secret'<\/span>)?->value;\n<\/span><\/span>\n<\/span><\/span>        return<\/span> view('admin.settings'<\/span>, compact('mailgun'<\/span>,'stripe'<\/span>));\n<\/span><\/span>    }\n<\/span><\/span>\n<\/span><\/span>    public<\/span> function<\/span> update<\/span>(Request $r)<\/span><\/span>\n<\/span><\/span>    <\/span>{\n<\/span><\/span>        $data = $r->validate([\n<\/span><\/span>            'mailgun_key'<\/span> => 'nullable|string'<\/span>,\n<\/span><\/span>            'stripe_secret'<\/span> => 'nullable|string'<\/span>,\n<\/span><\/span>        ]);\n<\/span><\/span>\n<\/span><\/span>        if<\/span>(isset<\/span>($data['mailgun_key'<\/span>])){\n<\/span><\/span>            AppSetting::updateOrCreate(['key'<\/span> => 'mailgun_key'<\/span>], ['value'<\/span> => $data['mailgun_key'<\/span>]]);\n<\/span><\/span>        }\n<\/span><\/span>        if<\/span>(isset<\/span>($data['stripe_secret'<\/span>])){\n<\/span><\/span>            AppSetting::updateOrCreate(['key'<\/span> => 'stripe_secret'<\/span>], ['value'<\/span> => $data['stripe_secret'<\/span>]]);\n<\/span><\/span>        }\n<\/span><\/span>\n<\/span><\/span>        return<\/span> back()->with('status'<\/span>,'Settings updated.'<\/span>);\n<\/span><\/span>    }\n<\/span><\/span>}\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    Minimal UI:<\/p>\n\n\n
    <!-- resources\/views\/admin\/settings.blade.php -->\n<\/span><\/span>@extends('layouts.app'<\/span>)\n<\/span><\/span>\n<\/span><\/span>@section('content'<\/span>)\n<\/span><\/span><div class<\/span>=\"container<\/span> py<\/span>-4\" style<\/span>=\"max<\/span>-width<\/span>:680px<\/span>\"><\/span>\n<\/span><\/span>  <h1<\/span> class<\/span>=\"h5<\/span> mb<\/span>-3\">Secure<\/span> Settings<\/span><\/h1<\/span>><\/span>\n<\/span><\/span>  @if<\/span> (session<\/span>('status<\/span>')) <div<\/span> class<\/span>=\"alert<\/span> alert<\/span>-success<\/span>\"><\/span>{{ session('status'<\/span>) }}<\/div> @endif<\/span>\n<\/span><\/span>\n<\/span><\/span>  <form method=\"POST\"<\/span> action=\"{{ route('admin.settings.update') }}\"<\/span> class<\/span>=\"card<\/span> card<\/span>-body<\/span>\"><\/span>\n<\/span><\/span>    @csrf<\/span><\/span>\n<\/span><\/span>    <label<\/span> class<\/span>=\"form<\/span>-label<\/span>\">Mailgun<\/span> API<\/span> Key<\/span><\/label<\/span>><\/span>\n<\/span><\/span>    <input<\/span> class<\/span>=\"form<\/span>-control<\/span> mb<\/span>-3\" name<\/span>=\"mailgun_key<\/span>\" value<\/span>=\"<\/span>{{ old('mailgun_key'<\/span>, $mailgun) }}\" autocomplete=\"<\/span>off\"><\/span>\n<\/span><\/span><\/span><\/span>\n<\/span><\/span>    <label class=\"<\/span>form-label\">Stripe Secret<\/label><\/span><\/span>\n<\/span><\/span>    <input class=\"<\/span>form-control mb-3<\/span>\" name=\"<\/span>stripe_secret\" value=\"<\/span>{{ old('stripe_secret'<\/span>, $stripe) }}\" autocomplete=\"<\/span>off\"><\/span><\/span>\n<\/span><\/span><\/span><\/span>\n<\/span><\/span>    <button class=\"<\/span>btn btn-primary\">Save<\/button><\/span><\/span>\n<\/span><\/span>    <p class=\"<\/span>text-muted small mt-2<\/span> mb-0<\/span>\">Values are encrypted at rest.<\/p><\/span><\/span>\n<\/span><\/span>  <\/form><\/span><\/span>\n<\/span><\/span><\/div><\/span><\/span>\n<\/span><\/span>@endsection<\/span><\/span>\n<\/span><\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    How to use these settings in code?<\/strong> Read them (decrypted) via the model or a small cache:<\/p>\n\n\n
    $mailgun = optional(\\App\\Models\\AppSetting::firstWhere('key'<\/span>,'mailgun_key'<\/span>))?->value;\n$stripeSecret = optional(\\App\\Models\\AppSetting::firstWhere('key'<\/span>,'stripe_secret'<\/span>))?->value;<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
    Security notes:<\/strong> protect the route with Admin-only access, consider activity logs, and never display secrets in plain text to non-privileged users.<\/p>\n\n\n\n
    <\/p>\n\n\n\n\n\n
    <\/div>\n\n\n\n
    5 – Optional: Use a managed Secrets Manager in production (how-to)<\/strong><\/h2>\n\n\n\n
    <\/p>\n\n\n\n