Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I know as Laravelers we don't do that but working with other company team i noticed that they were doing something like that, and of course i can't think is wrong because is a private repo, and only the team should have access to it.
But technically what is wrong with that?
The problem is relying on the security of the git repo to protect your api keys.
If someone has their account compromised and a person gets into the repo then these api keys are suddenly not private any more.
If you have got 2FA set up for users than that makes it harder to break in.
Sometimes storing may be acceptable, eg if it’s a read only api. If you are doing anything financial with them then find a way to keep them out of the repo
@socieboy Many reasons. If the repo is accidentally made public, or forked to a public repo, those keys are now compromised. If the company brings on a contractor, then that contracted now has the company’s private keys.
Anyone cloning the application (legitimately) would then have production keys on their laptop which might be an issue if it was lost or broken into.
Please or to participate in this conversation.