https://www.chenk.top/en/tags/api-gateway/Recent content in API Gateway on Chen Kai BlogHugoenSun, 22 Mar 2026 09:00:00 +0000https://www.chenk.top/en/terraform-agents/06-llm-gateway-and-secrets/Sun, 22 Mar 2026 09:00:00 +0000https://www.chenk.top/en/terraform-agents/06-llm-gateway-and-secrets/<p>A pattern I see repeatedly in immature agent stacks: each agent has its own copy of <code>OPENAI_API_KEY</code> in its own <code>.env</code> file. Sometimes the same key, sometimes different ones, sometimes a colleague&rsquo;s personal key from when they prototyped. When the bill arrives nobody can tell which agent caused which token spend, and when a key leaks (it always does) you&rsquo;re playing whack-a-mole across a dozen <code>.env</code> files.</p> <p>The real wake-up call hit me two years ago. A contractor finished his three-month engagement on a Friday, his laptop went home, and on the following Tuesday DashScope billing flagged 12 million tokens of <code>qwen-max</code> traffic from an IP we didn&rsquo;t recognise. His personal API key — copy-pasted into a side project — was still sitting in our agent&rsquo;s <code>.env</code>. Rotating it took six hours: three engineers, four repos, two CI pipelines, one panicked Slack thread. Never again.</p>