In several flask apps at aquaya, I used a combo of environment variables and sample config files filled in with real data on the live servers only, not in the source. But how to do this with a lot of servers that may be rebuilt at any time? How do you avoid passing state to these servers when you provision them? And how do you share these credentials among team members?
so maybe use config files and ACLs?
nice article on token storage in mobile apps (suggests provisioning, splitting, rotating)
services hashing their API keys, displaying them in plaintext just once and expecting you to treat them like passwords (and use a vault)
ah, a provisioning idea
instance deciphers into an env var
a nice ansible example with mention of git-crypt which is kinda similar to the idea above
vars_promptto get a user-typed password