The single most important rule is to never embed your API key directly into your source code, especially in client-side applications or public repositories like GitHub. Bots constantly scrape GitHub for accidentally committed API keys and can drain your credits in seconds.