When you don't know what you don't know, you make assumptions. In this case, a very wrong one, which led to a misunderstanding.

The way a user stores their API keys has nothing to do with how the application generating them encoded them in its code. My original comment referred to the latter.

To be specific, I encountered an issue where the search tool was hard-coding assumptions about the length of OpenAI's API key. This brittle design broke when OpenAI introduced longer project-level keys (sk-proj-replaced user-level keys sk-).

This is a very different problem from using environment variables, and it's a critical lesson in abstracting dependencies to prevent code from breaking due to external changes.