API-Key Intake Checklist & Paper Drill
Two parts. Part 1 confirms your setup is clean and safe. Part 2 is ten scenarios that test whether you know the four rules well enough to apply them under pressure. Keep this sheet — Lesson 2.5 reuses the cap and posture lines.
The four rules — a reminder
Rule 1Never commit an API key to source control.
Rule 2Never paste into chat, email, or a screenshot.
Rule 3Store in .env or a proper secrets manager.
Rule 4Rotate when in doubt — delete and regenerate.
Part 1 — Intake checklist (10 items)
01Provider account created and email verified.
02Payment method added to Billing in the provider console.
03Monthly spend cap set. Amount: $________. (Starter: $10 or $20.)
04API key generated and given a meaningful name (e.g., ai-architect-academy-course). Name on record: __________________
05Key stored as a line in a .env file. Line format: ANTHROPIC_API_KEY=sk-ant-...
06.env file location verified — it is in your course working folder, not on the desktop, not in a shared cloud drive. Folder path: __________________
07.gitignore file exists in the same folder and contains the line .env. (If you don’t yet use git, note “pending 2.4” and circle back.)
08Test request against the provider’s API succeeded — a JSON response came back with a content field and no authentication error.
09First-line snippet of the response body captured (1–2 words): “________________________”
10Monthly cap visible in console right now, in a browser tab you can return to. Screenshot optional but recommended — if taken, crop out the key.
Part 2 — Paper drill: ten scenarios
For each scenario: was the student’s handling OK or not? If not, which rule did they break? Write one sentence of reasoning.
OK? (yes / no)
Rule broken (1 / 2 / 3 / 4 / none)
One-sentence reasoning
SCENARIO 01
A student pastes their API key into a Discord support channel to ask why they’re getting an authentication error.
ok?
rule
reasoning
SCENARIO 02
A student creates a .env with their key, then creates a .gitignore that lists .env before any git commit.
ok?
rule
reasoning
SCENARIO 03
A student commits .env to a public GitHub repo, realizes a minute later, and force-pushes to remove the line but does not rotate the key.
ok?
rule
reasoning
SCENARIO 04
A student stores the key in their 1Password vault under an entry called “Anthropic API” and references it by name from a script that reads from 1Password’s CLI.
ok?
rule
reasoning
SCENARIO 05
A student posts a screenshot of their terminal on Twitter to show off a successful API call. The key scrolled off the top of the terminal before the screenshot — it’s not visible in the image.
ok?
rule
reasoning
SCENARIO 06
A student emails a zipped folder containing their project to a teacher. The zip includes .env.
ok?
rule
reasoning
SCENARIO 07
A student hard-codes the key as a Python string at the top of main.py, surrounded by a comment that says “DO NOT SHARE.”
ok?
rule
reasoning
SCENARIO 08
A student notices their .env was copied to a shared family Google Drive folder by accident three days ago. They delete the file from Drive but do not rotate the key.
ok?
rule
reasoning
SCENARIO 09
A student sets a $20 monthly cap, then runs a misconfigured loop that spends $19 in four minutes. The cap stops the run. They stop, audit what went wrong, fix it, and resume under the same cap.
ok?
rule
reasoning
SCENARIO 10
A student rotates their API key once a week out of caution, even though they have no evidence it has leaked.
ok?
rule
reasoning
Scoring yourself
All ten checklist items ticked — you have a clean cloud posture. If any item is blank, finish it before Lesson 2.4. On the scenarios: 8–10 correct is a pass; 6–7 is a caution (re-read the four rules); under 6 says to slow down and go back to the lesson. Answer key for the scenarios: scenarios 2, 4, 9, and 10 are OK (rule: none). Scenarios 1, 3, 5, 6, 7, and 8 all break at least one rule — map each to rule 1, 2, 3, or 4 and defend your call.