I'm currently working with Python on a Windows Server and I'm looking for the best way to manage my API keys and passwords without hardcoding them into my application. Is using python-dotenv still considered the best practice for this in 2026? Thanks for any advice!
6 Answers
Could you clarify if this is for local development or for staging/production environments?
I personally prefer using python-decouple. Not sure if it's the absolute best though.
One interesting approach I saw was from a source called Internet of Bugs. They suggest deploying the .env file temporarily during deployment and then deleting it right after. Worth a look!
Honestly, dotenv might not be the best choice anymore. For a well-secured system, it's ideal to pull secrets from a centralized secret management system to keep sensitive information off disk entirely.
But how do you authenticate with the secret manager service?
So, is it something like a service ticket from Kerberos?
I keep my credentials in a config.ini file. It’s straightforward for me.
Lol, that's not the most secure method!
Have you checked out keyring? It can help manage your credentials securely and is worth considering!

The last update was a couple of years ago, so it might be getting a bit stale.