Great question ??never hardcode API keys! The standard and secure approach is to use environment variables with a .env file (ignored by Git) and a package like dotenv. First, install dotenv: `npm install dotenv`. Then create a `.env` file in your project root with `GITHUB_TOKEN=your_actual_token_here`, and add `.env` to your `.gitignore`. In your app, load it early: `require('dotenv').config();`, then access it via `process.env.GITHUB_TOKEN`. For production, set the variable directly in your hosting environment (e.g., Heroku config vars or AWS ECS secrets). Bonus tip: Use short-lived tokens or fine-grained GitHub PATs with minimal permissions instead of classic tokens when possible.