Security, Secrets & Responsible Ownership

A secret is any piece of information that grants access to a system, account, or data. This includes passwords, API keys, OAuth tokens, database connection strings, private encryption keys, two-factor backup codes, and session tokens. If someone else obtaining this information could allow them to act as you — or access something they shouldn't — it's a secret.

Never share secrets in chat messages, emails, or documents — even internally. Never commit secrets to code repositories (Git history is permanent and searchable). Never paste secrets into AI tools, online validators, or debugging tools. Never reuse the same secret across multiple services. If you need to share a secret with a colleague for a legitimate reason, use your organisation's approved secrets manager and rotate it immediately after.

API keys are credentials. Treat them with the same care as passwords. Every service should have its own key — never share a single key across multiple projects or environments. Keys should be stored in environment variables or a secrets manager, never hardcoded into source files. If a key is no longer needed, revoke it immediately rather than leaving it dormant. Dormant keys are a target.

If you suspect a secret has been exposed — seen by the wrong person, committed to a repository, or sent in a message — treat it as compromised immediately. Rotate (replace) the secret as soon as possible, before investigating how it happened. Report the incident to your team lead or security contact. Don't wait to confirm whether it was actually misused before acting — by then it's too late.

Only request access to systems and data you genuinely need for your current role. If your role changes, flag any access that may no longer be appropriate for removal. Don't share your account credentials so colleagues can use your access level. Shared credentials make incidents impossible to trace and break the audit trail. If someone needs access to something, they should request it through the proper channel.