If you’re starting from scratch, begin with a secret manager and environment separation. That single step eliminates the most common class of production key leaks.

import os API_KEY = os.environ.get("PROD_API_KEY")

# Hardcoded in source code API_KEY = "sk_live_4eC39HqLyjWDarjtT1zdp7dc"