Back to all blog posts

Do you fine-tune or use hosted APIs (e.g. OpenAI, HuggingFace)? How do you secure API keys?

June 3, 2025

We primarily use hosted APIs from providers like OpenAI, Anthropic, and selectively support fine-tuning when use cases demand domain-specific performance.

API Use & Fine-Tuning

  • Default approach: Hosted APIs with prompt engineering for fast iteration and cost efficiency.

  • Fine-tuning: Applied only for narrow, high-volume tasks (e.g. structured Q&A, code generation), usually on smaller open-source models .

API Key Security

  • Environment Variables: Keys are never hardcoded—managed securely via .env or deployment platforms.

  • Secret Managers: In production, we use tools like AWS Secrets Manager, Vault, or GitLab CI/CD encrypted variables.

  • Access Control: Limited to specific services, with logging and key rotation enforced quarterly or upon personnel change.

  • Rate Limits & Scopes: Keys are scoped and rate-limited to minimize abuse and limit blast radius.