Store it in server-side environment variables or a dedicated secret manager. Avoid embedding it in frontend code or public repositories.
For production systems, server-side calls are recommended so you can protect the key, validate traffic and control quotas.
Use different keys for development, staging and production and keep each environment on its own quota and monitoring policy.
Disable it immediately, generate a new key, rotate all dependent services and review logs for unusual usage.
API key leaks can create unauthorized usage and billing risk. Treat every exposed key as compromised.