How to share API keys securely with a contractor
The honest answer has three branches, and only one of them needs a tool. Here is the whole decision, in order, with the parts nobody tells you.
Do not share your key at all if you can avoid it. Issue the contractor their own scoped key, so revoking it costs you nothing.
If the provider cannot do that, the question becomes who can see the key, for how long, and can you prove afterwards who did.
Step 1: try not to share the key at all
Most people skip straight to how do I send this safely. That is the second question. The first one is whether the contractor needs your key, or just a key.
A lot of providers will issue a second credential, scoped down to the few things the job actually needs. Stripe calls them restricted keys. AWS has IAM users and roles. Most modern platforms have service accounts or per-project keys. If yours does, use it, and the whole problem collapses: you revoke one key at the end, nothing else moves, and your production key was never in anyone else's hands.
“Follow the principle of least privilege: People and systems must have only the privileges required to perform their jobs.”
This is the branch we would take, and it does not need us or anyone else. If you can end the job here, end it here.
Step 2: if you must share the real key, understand what you are choosing
Plenty of providers do not offer scoped keys. Sometimes there is one key for the whole account, and the contractor genuinely needs it. Now you are not limiting what the key can do. You are limiting who can see it, for how long, and what you can prove afterwards.
Which rules out the two things everybody actually does:
- Slack or Teams. The message does not evaporate. On paid plans Slack keeps data for the lifetime of the workspace by default, it is searchable, it lands in exports, and nothing records who read it. We wrote a whole page on this, quoting Slack's own documentation.
- Email. Same shape, worse. It is now on your mail server, their mail server, both sets of backups, and any device either of you has ever synced.
One-time secret links are a real improvement, and they are fine for a genuine one-off. Their limit is that they hand over a copy. Once the contractor has the key, the link expiring does not take it back, and you still cannot say when they used it.
Step 3: the four things that actually decide your exposure
- Scope. Can the key do only what the job needs? If yes, do that, and most of the rest stops mattering.
- Time. Does the access end by itself? Access that expires on a timer beats access a human has to remember to remove, because permissions only ever accumulate. Nobody is thanked for removing one, and removing the wrong one breaks work that somebody depends on.
- Proof. If someone asks in six months who opened that key and when, can you answer? A message in a channel is not an audit trail. It records that a key was sent, not that it was read.
- Rotation. Rotate when the engagement ends, and on a schedule regardless. It closes the door going forward. It tells you nothing about what happened while it was open, which is why it is the last item here and not the first.
Where a credential vault fits, and where it does not
A vault is the answer to exactly one branch of this: the key cannot be scoped, the engagement is longer than one afternoon, and you will need to account for it later. Then the credential stays encrypted, the contractor requests it with a reason and a duration, someone approves, the grant expires on its own, and every reveal is written to an append-only log with the actor, the timestamp, the IP and the user agent, tied to the approval that authorised it.
That is what Vendor Access Vault does, and it is free while we build it. It is also not magic: once someone has revealed a credential, they have seen it. Nothing can un-see it. What changes is that the reveal is a deliberate, approved, timestamped event instead of a message somebody scrolled past, and that the access ends without anyone having to remember.
If your provider does scoped keys, use scoped keys. If it does not, this is the next best thing, and it is the difference between we think only Sarah had it and Sarah opened it at 14:12 on the 3rd, Daniel approved it, and it expired at 18:12.
Common questions
- Can I just send the API key over Slack or email?
- You can, and it is the single most common way keys leak. The problem is not the moment of sending, it is everything afterwards. On paid plans Slack keeps your messages for the lifetime of the workspace by default, the message is searchable by anyone who can see the channel, it is included in workspace exports, and nothing tells you who read it. Deleting the message later does not un-read it. If you have already done this, treat the key as exposed and rotate it.
- What if the provider does not support scoped or restricted keys?
- Then you are sharing the real key, and the question changes from 'how do I limit what it can do' to 'how do I limit who can see it, for how long, and can I prove afterwards who did'. That is the case a credential vault is actually for: the key stays encrypted, the contractor asks for it, someone approves, the grant expires on its own, and every reveal is logged. It is a worse position than a scoped key, and you should still rotate when the engagement ends.
- Isn't rotating the key at the end enough?
- Rotation is necessary and it is not sufficient. It closes the door going forward; it tells you nothing about what happened while the door was open. If you cannot say who opened the key, when, and who authorised it, you cannot answer the only question that matters after an incident. Rotate anyway, and rotate on a schedule, not just at offboarding.
- Do I need a tool for this at all?
- For one key and one contractor for one afternoon, honestly, no. Issue a scoped key, hand it over, revoke it after. A tool starts earning its place when there are several credentials, several people, and somebody eventually has to answer 'who had access to what, and when did it stop'. That is a bookkeeping problem, and bookkeeping is what software is for.
Keep reading
- Is it safe to share passwords in Slack?What Slack's own docs say happens to the message afterwards.
- Sharing credentials with contractorsThe workflow, end to end.
- Temporary accessAccess that expires beats access somebody must remember to revoke.
- How we encryptAES-256-GCM, append-only audit log, server-side reveals.
When you cannot scope the key, scope the access
Free while we build. No credit card, no sales call.