A blog for technology, SEO tips, website development and open source programming.

Github Hiding Api keys Tutorial

0 2,443

The post with show how you can hide api keys and stop your private key being pushed to Git.

Check out the tutorial and find out about the trick.

Github Hiding Api keys Tutorial

Here are the steps:

1. In your project find the gitignore file – this lists the files which will not be used when using Git.

For example:


2. Add the file project:gradle.properties to the gitignore list as per below:


3. Now open the project:gradle.properties file and add a new reference for

API_KEY =       “Your API String”

# My Secret Key - this is an example, please enter your own key!

4. Open the application app:build.gradle and within the defaultConfig add a

reference to your API_KEY

android {
  compileSdkVersion 23
  buildToolsVersion "23.0.2"

  defaultConfig {
    applicationId "com.texturelabs.rosera.pop_movies"
    minSdkVersion 14
    targetSdkVersion 23
    versionCode 1
    versionName "1.0"

    // Please ensure you have a valid API KEY for themoviedb.org↵
       to use this app
    // A valid key will need to be entered
    buildConfigField("String", "API_KEY", API_KEY)
  buildTypes {
    release {
      minifyEnabled false
      proguardFiles getDefaultProguardFile('proguard-android.txt'),↵

5. Now in your source code, you can easily reference the API_KEY without it being uploaded to Git, for example:

private static final String API_KEY = BuildConfig.API_KEY;


😗 I have already added my private key to Git

If you have done this already, you can repair it by using git to remove it for example:

  • With a local key that has not been pushed to your remote repository, you just need to remove (rm) the file from the cache.
git rm --cached <filename>
  • Where you have a key that has been pushed remotely, you will need to re-add the information. So firstly remove (rm) the file from the cache. Then tell git to push this change to the remote repo (that is remove the file cleanly from the remote repository). You will still have the non-version control file on your local machine – also note that the repository logs will contain a reference to any changes made.
git rm --cached <filename>
git push

For extra security please note that git provides a tool to remove sensitive data in the instance you have committed information to the remote repository.

Git – Remove sensitive data

Leave a Reply

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More