API Tokens and Secrets
This page documents how API keys and tokens should be handled.
It must never contain real secret values.
GitHub Personal Access Token
GitHub no longer accepts normal account passwords for Git over HTTPS.
When Git asks for a password, use a GitHub personal access token.
Username: keeepitrunninup
Password: GitHub personal access token
Token Permissions
Use the smallest permission set that works.
For pushing to this repository, the token normally needs repository write access.
For read-only server pulls from a private repository, the token only needs repository read access.
Where Secrets Can Live
Use one of these:
- GitHub repository secrets.
- Server environment variables.
- A password manager.
- A
.envfile that is not committed. - The dashboard of the service that owns the secret.
Where Secrets Must Not Live
Do not store secrets in:
- Markdown docs.
- Git commits.
- Screenshots.
- Public issues.
- Discord messages that many people can see.
- Nginx public web folders.
static/files.
If A Secret Is Leaked
- Revoke the exposed token immediately.
- Create a replacement token.
- Update the server or service using it.
- Check logs for suspicious use.
- Remove the secret from Git history if it was committed.
Example Placeholder Format
Use placeholders in docs:
GITHUB_TOKEN=replace-with-your-token
DISCORD_BOT_TOKEN=replace-with-your-token
API_KEY=replace-with-your-api-key
Never replace those placeholders with real values in this repository.