EDIT: For anyone looking at this. Just saw this excellent answer, it is well worth reading:
How can I save my secret keys and password securely in my version control system?
---Continue old answer---
Great question. See this post for a good start: Accidental API Key Exposure is a Major Problem
I generally try to keep all my api tokens in an external file.
I exclude that file in .gitignore:
##################
#Ignore API token#
##################
token.txt
Then I read the token from the file (working in python):
#import token from token.txt file in same directory
token_file = os.path.join(path, "token.txt")
with open(token_file, 'rb') as f:
token = f.read().replace('\n', '')
Since I never push the token file it never gets exposed.