Different API Key for Preview Environment

You have a valid point. Since each week the sandbox gets wiped clean and replaced with live data, it's very hard to keep them separate. There's no easy way to prevent those who have access into the sandbox from getting access into the live data; the credentials into the sandbox more than likely would still work for the production site.

ie if you have junior developers that should not touch the production environment, but need full admin rights into the sandbox, you would have to regenerate a new API key each week for an admin account on the sandbox for them to use.

A fix for you could be to write a small tool that regenerates all API keys in the sandbox.

I can't think of an easy fix for workfront though, except maybe flagging some objects as "do not overwrite" when copying into the sandbox. That way development credentials can be maintained.

On second thought the best way to implement it for you might be to automatically recreate a sandbox-only admin account each week for your developers to use. That way they do not have access to the production and they don't have to change any authentication they have set up. API keys can be automatically generated via the API w/ the user's credentials.