Just seems strange to me that I use the same API key for my preview environment as I do for production. It is important to safeguard the production API key and preview/development environments are generally not as well safeguarded as production environments. This seems like a critical shortfall and not enterprise ready.
You have a valid point. Since each week the sandbox gets wiped clean and replaced with live data, it's very hard to keep them separate. There's no easy way to prevent those who have access into the sandbox from getting access into the live data; the credentials into the sandbox more than likely would still work for the production site.
ie if you have junior developers that should not touch the production environment, but need full admin rights into the sandbox, you would have to regenerate a new API key each week for an admin account on the sandbox for them to use.
A fix for you could be to write a small tool that regenerates all API keys in the sandbox.
I can't think of an easy fix for workfront though, except maybe flagging some objects as "do not overwrite" when copying into the sandbox. That way development credentials can be maintained.
On second thought the best way to implement it for you might be to automatically recreate a sandbox-only admin account each week for your developers to use. That way they do not have access to the production and they don't have to change any authentication they have set up. API keys can be automatically generated via the API w/ the user's credentials.
