Never hardcode API keys in source code or commit them to version control.
Use one key per environment (dev, staging, production) so you can revoke them independently.
Revoke keys you no longer use immediately.
Monitor the Analytics dashboard for unexpected usage spikes, which may indicate an exposed key.
