Managing DeepL API Keys Security and Access Best Practices

Recomendación: Rotate DeepL API keys on a fixed period that aligns with your compliance window and keep them out of source code to protect translations and data.

During onboarding, create distinct keys for each environment (dev, staging, production) and attach them to minimal-scoped permissions. Use a secrets manager or vault and reference keys via environment variables, not in file-based configurations. This reduces risk if a key is compromised.

Store keys securely during deployment by injecting them at runtime rather than baking them into images.

Best practice is to select keys with restricted IP ranges, enable usage logs, and revoke access quickly when roles change. Regular audits should verify that the activity aligns with the intended scope and that translated requests originate from trusted services.

Rotate keys every 30 days or according to a defined period, and record their creation date in your inventory. Maintain an owner for each key and set alert rules for unusual usage patterns, especially around translations that involve sensitive data.

Avoid embedding keys in a file tracked by version control. Instead rely on a secrets store and reference keys at runtime. In docs, you can mention sheetsl,falsefalsefalsesource as a placeholder to illustrate where keys would appear without exposing them.

For automation, map access with gmbhauthormaltego in your credentials vault to align with the correct DeepL account, and ensure this mapping is reviewed quarterly.

When you need to revoke access, clicking a single revoke action should immediately disable the key, and your deployment should switch to a fresh key without downtime. Validate the change by sending a test translation request and confirming the response is translated correctly by your service.

Keep an audit trail in your info portal, and document the ownership and purpose for every key so that their translations remain traceable. This makes it easy to scale access control as your team grows and your translations volume increases.

Securely storing keys with environment variables and secret managers

Store the DeepL API key in a secret manager and reference it via an environment variable at runtime; never embed the key in code or configuration files.

Environment variables

Define a specified variable name, for example keystring or DEEPL_API_KEY, and load it through your deployment configuration rather than hard-coding the value.
Inject the value at startup and avoid displaying it in logs or dashboards; mask the display in all user interfaces.
Keep separate keys for each environment (original and current) to enable safe deactivation and quick rollback during rotation.
For local development, use a .env or local profile that is excluded from version control; during build, pull from the secret store instead of embedding the value.
Avoid exposing by clicking or displaying the value in dashboards; use programmatic access only.
For amagama and other languages, treat keys as global secrets with scoped access per service to prevent cross-project leakage.
Audit access by checking the secret manager’s logs; you can find who accessed the key and when; restrict access to the center of your organization and to paid plans where appropriate.
Keep an audit trail in Sheets or another log store so you can review access during every period and find which services accessed the key.
Plan a rotation period of about one month; rotate keys in a way that minimizes downtime and validate all services that transform requests.
Maintain a secure history of the original value in a protected repository or vault; use the current value for normal operations.

Secret managers

Store the key in a secret manager (AWS Secrets Manager, Azure Key Vault, Google Secret Manager, or a platform-neutral option) and map it to the environment variable on deploy.
Apply least-privilege policies so only the service accounts used by your languages and services can retrieve the secret.
Use a central secret center to manage versions, with a specified rotation workflow; include a deactivation process and track which services found the key in use.
Configure automatic rotation when available; otherwise implement a rotation plan and set up alerts for failed rotations or access anomalies.
During rotation, verify that each service can fetch the current value at startup, test with a non-production environment, and then roll out gradually to production.
When deploying, ensure the application reads from the environment variable and not from in-repo files; after rotation, restart affected services to apply the new key.
Include a deactivation workflow to revoke old keys and prevent reuse if a compromise is found, and document the steps for rapid rollback.

Restricting key usage by IP, platform, and app origin

Limit each API key to approved IPs, platforms, and app origins. Create an allowlist by IP ranges and domain patterns, and enforce checks at the edge before any translated content or document requests are processed. This must reduce risk when keys are leaked or misused.

Define a current policy in the control plane and maintain a glossary of valid origins and platforms. The value of this plan is predictable behavior for access. For new keys, use typedefault to set baseline behavior, then select a targeted scope for each app origin. Document the rules below so teams can reference them quickly and align with gmbhdata requirements.

Configure the edge layer to open an origin check and IP allowlist. Target requests from approved IPs and known origins such as internal apps, web apps, add-ons, or external services. Use the key’s metadata to enforce the scope, including contents, user, and the defined phrase for routing. If your flow uses baidu or sheetsl for translations, add those origins to the allowed list and map them in the glossary to a clear app name. Select the correct value for each key and keep origin rules in the center for consistent behavior.

Enable logs for denied requests and store events in a document or in the gmbhdata repository for audit. Provide an info summary for governance and keep a record of the previous origins to track changes over time. When a mismatch appears, alert the team and revoke the affected key immediately.

Rotate keys on a defined cadence, apply short-lived tokens when possible, and leverage per-app scopes to minimize blast radius. Use a center of control to manage all keys, and set alerts for new origins or unusual patterns in translations usage. For teams using add-ons, document the plan and update the glossary to reflect new sources. Keep user-facing text clear and provide a simple open experience during key rotation.

Implementing automatic key rotation and revocation workflows

Set up a rotation plan that creates a new API key in your secret store, updates every service using that key, and revokes the old credential. Define typedefault as 30 days and apply the cadence to all region scopes in the selected environment. The policy should run automatically, with a failover path, and a change log that records who triggered the rotation and when.

Define clear policy gates: rotate before the current key reaches its end of life, require usage of the new key by all target services, and prevent hard-coded keys in code or config. Use the selected region and target environment to scope the rotation, and align invoices with the actual usage so billing reflects current activity. The plan must specify who can approve a rotation and how to handle falsefalsefalsesource entries during testing, while labeling real assets with namesetting conventions for consistency.

Automation steps start with generating a fresh key, storing it under a stable name in the secret store, and propagating the value to all entities using the key. When a key is rotated, a rotating job updates environment variables, deployment manifests, and runtime configurations without downtime. Clicking a rotation trigger should perform a dry run first to verify that all targets will switch to the new key and that no service will fail during the transition. Use usage metrics to confirm that all services reference the new key and that old references are removed, then switch the active key in production.

Revocation follows a validated deployment: revoke the old key immediately after all targets confirm successful usage of the new key, maintain an audit trail, and disable any stale credentials within 24 hours. Ensure that the policy enforces regional scoping so revocation does not affect unintended regions, and that any invoices tied to old keys are archived for accountability. Include entitiesmaltegounknownshort and entitiesmaltegounknownoutput tags to distinguish unknown origins in logs, and tag one true source with falsefalsefalsesource to keep test data separate from live traffic.

Monitoring and validation verify that the level of integrity remains high: alert on rotation failures, key fetch errors, or mismatches between deployed keys and those stored. Regularly compare usage reports against invoices to detect anomalies, and document changes with a concise namesetting scheme so future audits trace back to the exact plan and target configuration. Also ensure that every rotation step aligns with the policy, the region, and the selected services, so access remains tightly controlled and traceable.

Enforcing least privilege through per-app keys and usage quotas

Implement least privilege by issuing per-app keys with strict scope. Each app receives a unique keystring that encodes appId, scope, and quotas; it will be active only for that app and cannot access resources owned by others. When creating a key, specify languages and endpoints (translate, detect languages, and other options) and attach a usage plan that enforces per-app quotas. The original metadata from creation should include the owner, purpose, and the entitiesmaltegounknownshort tag for audit trails. Secure the key in a vault and rotate on schedule; required rotation reduces risk. All requests must pass the keystring in the Authorization header; the system will verify the parameters (level and limits) before translating. Maintain governance by exporting metrics to sheets and sheetsl for internal reviews, and obtain feedback from them to refine quotas.

Pasos de implementación

Create per-app keys in the management console with a clear naming pattern (app--scope). Each keystring encodes the appId, the specific scope, and the quota limits; activate them for the target app while denying access to others. Define scope narrowly: languages, translation features, and selected models (neural or standard) if supported. Attach a per-app quota profile measured in translated characters, requests per minute, and daily caps. Enforce these rules at the gateway; require the presence of the keystring in every request and validate parameters against the configured level. Enable automatic rotation on a fixed cadence (for example, 90 days), with revocation of old keys and re-issuance to the owning app. Log events with owner, creation, and the entitiesmaltegounknownshort tag to support audits. Store the original metadata in a secure store and align with sheets for governance dashboards.

Monitoring and governance

Track active keys, quotas consumption, and anomaly signals using a single pane in sheets; monitor metrics such as total translated characters, requests, error rate, and neural versus standard model usage. Use parameters to adjust thresholds and trigger alerts when usage nears limits, suspending the key to prevent overage. Provide suggestions to teams and update their keys accordingly. Obtain feedback from them on changes in scope or required translations; keep languages and original content protected; ensure translations for selected languages are obtained and tracked. Periodically review the entitiesmaltegounknownshort tag and revise the per-app scope as new features are added.

Auditing access: logs, alerts, and anomaly detection

Enable centralized logging for all DeepL API key actions: creation, rotation, and revocation. Route logs to a secured environment with strict access controls, and redact secret values so no key material is exposed in logs. Each entry must include timestamp, action, user, and the source identifier (источник). Retain logs in a dedicated services bucket and enforce a minimum retention of 90 days; 365 days is ideal for compliance. Do not display full keys; replace with placeholders or hashes. This approach provides a reliable source of truth for audits and incident response.

Configure real-time alerts for high-risk events: new key creation, rotation, or access from unknown IPs or unfamiliar services like deepls and weblate. Bind alerts to explicit levels and keep the payload concise, including key_id, user, timestamp, and IP. Ensure you dont reveal the secret value in alerts; if necessary, show a safe placeholder or a value size. Use a starting marker to indicate the first event after rotation and link related activity to invoices for cost tracing. Include a short phrase in the alert to guide responders when a quick action is required.

Apply anomaly detection: baseline activity by environment and service; monitor for deviations beyond the configured level and escalate automatically. Ensure dashboards display clear indicators and provide drill-down access to read logs. When anomalies appear, check for entitiesmaltegounknownoutput markers and correlate with source feeds. If an action cannot be mapped to a known source, escalate to security. Capture read counts, value and valueoptionalpopupauthenticationdeepl metadata to improve readiness. Use typedefault policies to control automatic key disablement and keep security posture aligned with the source setting and services strategy, especially in high‑risk environments.

Timestamp	Source	User	Action	Resource	Level	Notes
2025-09-22T12:34:56Z	источник=203.0.113.15	service-account/deepls	CreateKey	deepls API key	Medium	Key created; value redacted; starting lifecycle
2025-09-22T13:01:02Z	источник=10.10.0.8	security-ops	AccessAttempt	deepls API	High	Unrecognized user; IP outside known range; action blocked
2025-09-22T14:15:45Z	источник=weblate	automation-bot	RotateKey	key-039	Medium	Routine rotation; typedefault policy; value redacted; valueoptionalpopupauthenticationdeepl flag active; invoices linked

Secure key sharing and onboarding for team members

Adopt a centralized secrets manager to share DeepL API keys securely; generate per-member keys, set 30-day lifetimes, and automate revocation on offboarding. This approach reduces exposure, supports privacy, and ensures that keys are read by the intended code path only.

Onboarding workflow

Account creation: For each new teammate, create a dedicated account, assign the minimum required scope to access the APIs, and attach descriptionupdates to the profile to track progress. Capture language preferences and the target environment to tailor access.
Key provisioning: Issue a short-lived API key or token from the secrets center, bind it to the teammate’s account, and label the entry with gmbhauthormaltego for audit clarity. Ensure the source field shows falsefalsefalsesource during validation.
Install and configure: In the member’s environment, install the secrets client, run an initial read to verify access, and load the key into a secure session only. Do not store keys in code or files outside the center.
Access guidance: Provide a concise description of allowed uses, the target endpoints, and the language-specific syntax. Use file-based notes and a quickstart description to reduce misconfigurations.
Offboarding readiness: Include a simple offboarding checklist in the description field and link suggestions for revocation timing. Prepare a quick archive of activity in the center.

Security controls and maintenance

Rotation and revocation: Enforce automatic key rotation every 30 days and revoke keys promptly if a teammate leaves or changes role. Track changes with descriptionupdates and center logs.
Access governance: Apply least-privilege access with role-based controls, limit use to the necessary environment and scope, and bind the policy to the account and its target services.
Audit and visibility: Enable read-only access for code reviews, monitor usage patterns in the center, and maintain privacy-compliant records for all key operations. Include install and notice notes for transparency.
Incident readiness: If a leak is suspected, revoke the affected keys immediately, install updated credentials, and circulate a notice to the team with remediation steps.