Best Practices for Storing API Keys (not on Meteor.users)

Are there any best practices for storing API keys?

Users can create organizations, and I’d like to let them attach their organization’s facebook/linkedin/twitter pages. Is there anything in particular to watch out for? Or should I just store the keys on the organization document under a services field?