The Essentials 

A common mistake many iOS developers (myself included) make is hardcoding sensitive data—like API keys—directly into the codebase.

It's easy, quick, and it works… until it becomes a security issue or a pain to manage across multiple environments.

⦿ Constants.swift
     Anyone with access to the code can see your key. 

     It’s stored in plain text and often ends up in version control.
⦿ Info.plist
     Looks hidden, but can still be extracted by reverse-engineering the compiled app.



✅ The Better Way: Use .xcconfig Files

.xcconfig files allow you to define build-specific configuration values like API keys, which you can keep separate from your source code. This keeps things clean, secure, and easy to manage between Debug and Release builds.

1. Create .xcconfig Files

This is where you'll define API keys for different environments.

Steps:
☞ Open Xcode

☞ Go to File  〉New 〉File

☞ Choose Configuration Settings File (.xcconfig) under the "Other" section
☞ Create two files:
    ○ Debug.xcconfig

    ○ Release.xcconfig

2. Add API Key to .xcconfig

In each .xcconfig file, add:
API_KEY = "your-api-key-here"

These files won’t be compiled directly, which makes them safer to store (especially if excluded from version control).

3. Link .xcconfig to Your Project

☞ Go to your Project Settings (click the project name in the sidebar)
☞ Under Info 〉Configurations, set the Debug and Release configurations to use the correct .xcconfig file.

4. Map Variable to Info.plist

To access the value at runtime, expose it through the app's Info.plist.

Steps:
☞ Open Info.plist
☞ Add a new key/value pair:
<key>API_KEY</key> <string>${API_KEY}</string>

This tells Xcode to inject the value of API_KEY from .xcconfig into the plist at build time.

5. Read API Key in Swift Code

Use the following struct to access the key:


This keeps the API key out of your source code and makes it dependent on the build environment.

💡 Tip: You can replace fatalError with a fallback value or handle it more gracefully in production apps.

6. Test Your Configuration

Make sure the correct API key loads for each environment.

Steps:
☞ In Xcode, select your build scheme (top left dropdown)
☞ Choose either Debug or Release
☞ Run the app and check that the correct key is printed:

  print("API Key: \(API.apiKey)") 

Key Takeaways

🔐 Security: .xcconfig keeps sensitive data out of your codebase and version control.
🔄 Flexibility: Easily switch API keys based on Debug or Release builds.
🧠 Simplicity: Clean separation of logic and configuration.

Final Note

✅ For more advanced scenarios, you can also store sensitive keys on remote servers or use services like CocoaPods or Swift Package Manager for more secure management.
✅ Don’t forget to add your .xcconfig files to .gitignore if you don’t want to commit real API keys. For teams, you can share dummy keys or encrypted versions depending on your workflow.

That’s it! 

Next time you forget this (and you will 😅), just check back here.
 — #NoteToForget