> ## Documentation Index
> Fetch the complete documentation index at: https://docs.budecosystem.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Managing API Keys and Projects

> Best practices for secure credential lifecycle and project organization

## Why this guide matters

Projects and API keys are the two most important control surfaces for access governance in Customer Dashboard.

```mermaid theme={null}
graph TB
    A[Project Created] --> B[Create API Key]
    B --> C[Use in App]
    C --> D[Monitor Last Used]
    D --> E{Still Required?}
    E -->|Yes| F[Rotate Key]
    E -->|No| G[Revoke Key]
```

## Project design recommendations

* Use consistent naming (`team-workload-environment`).
* Keep prod and non-prod in separate projects.
* Add tags for cost center, owner, and compliance domain.

## API key lifecycle

### Create

* Create keys per service integration, not per individual user.
* Set explicit expiry dates where possible.

### Store

* Store keys only in secure secret managers.
* Never embed keys in frontend bundles or repos.

### Rotate

* Rotate regularly and after personnel or ownership changes.
* Prefer dual-key rotation windows to avoid downtime.

### Revoke

* Revoke immediately if compromise is suspected.
* Remove unused keys to minimize attack surface.

## Common workflows

1. Create project for a new product surface.
2. Create API key scoped to that project.
3. Deploy with secure secret injection.
4. Track `last used` and expiry from API key table.
5. Rotate or revoke based on lifecycle policy.

## Validation checklist

* [ ] Every key is mapped to exactly one project and service owner.
* [ ] Keys have expiry and rotation cadence.
* [ ] Revocation process is documented and tested.
