# All channels
Sachin D. Shinde@sachin-shinde
No api keys per environment in graph manager. How do you secure things?January 31, 2020 at 8:53pm (Edited 12 months ago)
In graph manager, you define a graph and can have multiple variants for different environments. While a graph can be secured by an api key, variants cannot. This means anyone on the team can see the api key for the graph and push updates to the production environment.
We are used to the practice of using different api keys to help secure different environments. We can then limit the people and processes that have access to those keys. But in graph manager, the key is there and visible to anyone with access to graph manager so this doesn't really work.
What is the best practice here for securing changes around environments/variations? How do you keep keys secure so anyone on the team can't just log onto graph manager and grab them? Especially because we want the observability that graph manager provides to the team.
January 31, 2020 at 10:43pm
February 3, 2020 at 3:18pm
September 3, 2020 at 6:31pm
Hi (russell-shurts) –– circling back here, we just released user roles and permissions in our system, which is the first step in our path to doing this. The plan is to get to graph-level user permissions next, and then read-only keys that are variant specific after that. I think we will get to graph-level user permission by the end of 2020 for sure, but I'm not sure if read-only variant keys will make it to the Q4 list because we have a few other impending priorities ahead of that. I hope it does though!