Basic basic basic security:
Obviously, if storing passwords, convert them to a one-way hash string first, before even sending, so they can only be compared to the same one-way encoded hash at a later time, but their original value would be impossible to read.
Don't store your API keys in your Github repository. Store them instead in an external folder, outside the Github repository folder. Then, inside the Node.js script, load up that file by stepping outside of the current folder "../".
If you have many API keys, shared across different servers, it would be smart to put them into their own Git repository, with their own deployment mechanism - a private repository ofcourse - and manage that codebase similarly, but outside of the main codebase.
... more coming soon...