groq-security-basics

# Groq Security Basics ## Overview Security practices for Groq API keys and data flowing through Groq's inference API. Groq uses a single API key type (`gsk_` prefix) with full access -- there are no scoped tokens -- so key management and rotation are critical. ## Prerequisites - Groq account at console.groq.com - Understanding of environment variable management - Secret management solution for production (Vault, AWS Secrets Manager, etc.) ## Key Security Facts - Groq API keys start with `gsk_` and grant full API access - There are no read-only or scoped keys -- every key can call every endpoint - Keys are created at console.groq.com/keys and cannot be viewed after creation - Rate limits are per-organization, not per-key - Groq does not store prompt data for training (see [privacy policy](https://groq.com/privacy-policy/)) ## Instructions ### Step 1: Secure Key Storage by Environment ```bash # Development: .env file (NEVER commit) echo "GROQ_API_KEY=gsk_dev_key_here" > .env.local # .gitignore (mandatory) echo -e ".env\n.env.local\n.env.*.local" >> .gitignore # Production: use platform secret managers # Vercel vercel env add GROQ_API_KEY production # AWS aws secretsmanager create-secret --name groq-api-key --secret-string "gsk_..." # GCP echo -n "gsk_..." | gcloud secrets create groq-api-key --data-file=- # GitHub Actions gh secret set GROQ_API_KEY --body "gsk_..." ``` ### Step 2: Key Rotation Procedure ```bash set -euo pipefail # 1. Create new key in console.groq.c...