API Keys Are Just Static Passwords That Are Being Set

A lot of people treat the API keys almost like an identifier that they just noted and, you know, their script or they noted in the text file. They don't protect it nearly as tightly as they probably should if they really realized this was truly a password type enablement feature. The bad guys are getting very adept at finding those. Even if you do realize that you accidentally committed that key and then you commit a new version of your code without the key, that history is still there.