It's very important to protect API keys, private keys in blockchain and API development. Here're are some tips from Chainlink smart contract hardhat starter kit.
There are two options of setting environment variables: store credentials in a .env file AND set it in command line. Remember to add any env file to .gitignore else you risk losing your credentials and subject your app to attack and misuse. Bad parties can steal your API keys make unauthorized transactions /requests and incur cost / lost.