You can define it somewhere as constant or readonly field, but this still will be discoverable by tools like refelector, event with a little bit effort. If you want more secure storage, encrypt the key with DPAPI and store it in the config. Disadvantage of this approach is, that the key is untransferable to other machine or under other user profile.