Last reviewed: 2026-07-18
Direct answer
Keep every CometAPI key out of tutorial repositories. In tutorial code, read the key from a local environment variable, a server-side runtime variable, or a deployment-controlled secret store. The CometAPI Chat Completions reference shows a Python client configured with the CometAPI base URL and api_key loaded from os.environ["COMETAPI_KEY"]; that is the boundary a tutorial should teach. The variable name can appear in examples, but the key value must never appear in source files, screenshots, logs, copied terminal output, fixtures, or sample responses.
This boundary matters because tutorial repositories are often cloned, forked, indexed, and copied into other examples. A key that lands in Git can spread far beyond the original lesson. The clean pattern is simple: document the variable name, show where the program reads it, provide a placeholder value only when a configuration template needs one, and make the missing-key behavior easy to test.
For adjacent cleanup, pair this guide with Redact Credentials Safely in CometAPI Tutorial Snippets and Review CometAPI Request Headers Before Shipping Example Clients . Those pages help keep copied code and request metadata aligned with the same key-handling rule.
A safe smoke-test workflow is:
- Setup assumptions: the maintainer has a CometAPI account, a local shell variable named
COMETAPI_KEY, and a tutorial branch with no committed credential file. - Happy-path request plan: run the documented Chat Completions or Responses example locally using the environment variable. Record only whether the request reached the intended endpoint family and whether the response shape matched the linked reference.
- Error-path check: unset the local variable, run the same command, and confirm the tutorial fails before sending a request or returns an authentication-related error without printing a secret.
- Minimum assertions: no key value appears in source files, shell output, saved logs, screenshots, copied examples, or response fixtures; the request path and response fields are checked against the linked docs.
- Pass/fail logging fields: record date, endpoint family, doc URL, local variable name, request result category, error result category, files scanned, and maintainer initials.
- What not to assert: do not claim model availability, pricing, rate limits, latency, uptime, token cost, or billing behavior from this smoke test.
Sanitized log template:
review_date: 2026-07-18
endpoint_family: chat_completions_or_responses
doc_url: https://apidoc.cometapi.com/api/text/chat
key_variable_name: COMETAPI_KEY
credential_value_recorded: false
happy_path_result: placeholder_pass_or_fail
error_path_result: placeholder_pass_or_fail
files_scanned: placeholder_file_list
notes: placeholder_short_note
A configuration template can show a placeholder like this:
COMETAPI_KEY=<API_KEY_PLACEHOLDER>
Do not replace that placeholder with a real-looking value in the repository. The reader should create their own key in their own account and set it in their local shell, local environment file excluded from Git, or server-side runtime configuration.
Who this is for
This guide is for tutorial authors, maintainers, reviewers, and developer relations teams who publish CometAPI examples for local development. It is especially useful when a tutorial includes Python, JavaScript, shell, or framework snippets that need a CometAPI key to run but should not teach readers to paste secrets into source code.
It also helps teams that reuse tutorial code in workshops, starter apps, and internal demos. Those environments often move quickly, and a single copied .env file or screenshot can undermine the example. A small key boundary keeps the lesson runnable while reducing the chance that private account material becomes public.
Use this guide before publishing a new tutorial, before accepting a community pull request that changes a request example, and before turning a local demo into a hosted walkthrough. If the tutorial also compares endpoint families, read Choose between CometAPI Chat Completions and Responses so the key boundary and endpoint choice are checked together.
Key takeaways
- Show
COMETAPI_KEYas a variable name, not as a credential value. - Keep
.envfiles, shell exports, screenshots, saved logs, and copied terminal output out of public tutorial repositories. - Use the CometAPI Chat Completions and Responses references to verify request paths and response shapes before publishing runnable examples.
- Test both the successful request and the missing-key failure so readers see a clean local boundary.
- Link to support when account access, dashboard access, or key lifecycle issues block the reader.
- Use Start with CometAPI when you need to continue from the tutorial into CometAPI setup.
Sources checked
- CometAPI chat completions reference - accessed 2026-07-18; purpose: verify chat completion contract areas.
- CometAPI responses reference - accessed 2026-07-18; purpose: verify responses endpoint contract areas.
- CometAPI documentation - accessed 2026-07-18; purpose: verify current CometAPI documentation navigation.
- CometAPI support page - accessed 2026-07-18; purpose: verify support and escalation context.
Contract details to verify
| Area | What to verify | Source URL | Accessed | Safe candidate wording |
|---|---|---|---|---|
| Chat request setup | Confirm the current Chat Completions path, request structure, and environment-variable key example before publishing a runnable snippet. | https://apidoc.cometapi.com/api/text/chat | 2026-07-18 | “Use an environment variable such as COMETAPI_KEY instead of placing a key in source code.” |
| Responses request setup | Confirm whether the tutorial should use the Responses endpoint family instead of Chat Completions for the example being taught. | https://apidoc.cometapi.com/api/text/responses | 2026-07-18 | “Check the linked Responses reference before adapting the workflow to that endpoint family.” |
| Documentation source of truth | Confirm that examples link to the current CometAPI documentation entry point and not an outdated saved snippet. | https://apidoc.cometapi.com/ | 2026-07-18 | “Treat the public docs as the reference before copying endpoint details into tutorials.” |
| Support escalation | Confirm where readers should go when account access, key creation, dashboard access, or private setup blocks local testing. | https://www.cometapi.com/support/ | 2026-07-18 | “Use CometAPI support for account-specific issues that a tutorial cannot verify locally.” |
Failure modes
- A real key is pasted into source code during local testing. Stop, remove the value from the working copy, rotate the key through the appropriate account path, and check the commit history before continuing.
- A
.envfile is committed because the repository lacks an ignore rule. Replace it with a placeholder template, add the local file to the ignore list, and confirm the committed template contains only names and placeholders. - A screenshot shows a shell export, dashboard token screen, or request header containing a private value. Retake the screenshot with the value hidden or use a sanitized text example.
- A saved error response includes account-specific data. Keep only the error category needed for the tutorial and remove request identifiers, private values, and copied response bodies that are not necessary for the lesson.
- A maintainer changes endpoint families or client setup to make a local run pass. Recheck the Chat Completions or Responses source page before presenting that change as a tutorial pattern.
- A missing-key test is treated as proof of rate limits, billing, uptime, or model availability. Keep the test scoped to local configuration and credential-handling behavior.
- A reader cannot create or use a key because of account access. Do not guess their private setup; send them to the CometAPI support page for account-specific help.
Reader next step
Before you publish the tutorial, run one local pass with the key present and one pass with the key absent. Save a short note that lists the files checked, the endpoint family used, the source URL checked, and whether any credential value appeared in output. Then open the repository diff and search for COMETAPI_KEY, <API_KEY_PLACEHOLDER>, Authorization, .env, and any copied terminal transcript. The only credential-related values that should remain in public files are variable names and sanitized placeholders.
If you are starting from scratch, use Start with CometAPI after reading the docs so the account setup stays separate from the public tutorial repository.
FAQ
Can a tutorial include the name COMETAPI_KEY?
Yes. The variable name is useful because the Chat Completions reference shows the key being read from an environment variable. The secret value must stay out of source files, screenshots, logs, and example output.
Should I commit a sample .env file?
Do not commit a local .env file with a value. A template can show placeholder names, but it should not contain a real or example-looking key. Use <API_KEY_PLACEHOLDER> when a value is necessary for explanation.
What should the missing-key test prove?
It should prove that the tutorial fails cleanly when the local variable is absent and that the failure does not print or save a secret. It should not be used to infer pricing, limits, latency, uptime, billing behavior, or model availability.
Where should a hosted app read the key?
A hosted tutorial app should read the key from server-side configuration or a deployment-controlled secret store. Do not put the key in client-side JavaScript, static HTML, public environment files, or build artifacts that readers can download.
When should I send readers to support?
Send readers to CometAPI support when the issue depends on their account, dashboard access, key lifecycle, or other private setup details that the tutorial cannot verify from public documentation.