From outputai
View and edit encrypted credentials in Output.ai projects using npx output commands. Edit in $EDITOR, show plaintext, get single values via dot-notation for API keys and secrets.
npx claudepluginhub growthxai/output --plugin outputaiThis skill is limited to using the following tools:
- Adding or updating API keys and secrets
Manages encrypted secrets in Output SDK workflows using @outputai/credentials. Handles API keys, database passwords, and tokens via CLI init, edit, show, and get commands.
Secures Claude Code sessions with nopeek CLI: loads .env secrets without exposing values, stores keys, redacts cloud CLI outputs to prevent API key leaks. Useful for secret and credential safety.
Audits and hardens API credentials with env vars, separation, rotation plans, least privilege, and auditability. Use for service integrations and production deployments.
Share bugs, ideas, or general feedback.
$EDITOR)# Edit global credentials
npx output credentials edit
# Edit environment-specific
npx output credentials edit -e production
npx output credentials edit -e staging
# Edit per-workflow credentials
npx output credentials edit -w my_workflow
The file is decrypted to a temp file, opened in $EDITOR, then re-encrypted on save. The temp file is securely wiped (overwritten with null bytes) after closing.
# Show global credentials (plaintext — use carefully)
npx output credentials show
# Show environment-specific
npx output credentials show -e production
# Show per-workflow
npx output credentials show -w my_workflow
# Get a single credential by dot-notation path
npx output credentials get anthropic.api_key
npx output credentials get aws.region
npx output credentials get stripe.secret_key -w payment_processing
Returns the raw string value (or JSON for nested objects).
Credentials are stored as structured YAML with dot-notation access:
anthropic:
api_key: sk-ant-...
openai:
api_key: sk-...
aws:
region: us-east-1
access_key_id: AKIA...
secret_access_key: ...
stripe:
secret_key: sk_live_...
webhook_secret: whsec_...
_env:
ANTHROPIC_API_KEY: anthropic.api_key
OPENAI_API_KEY: openai.api_key
The _env section maps credential paths to environment variables. See output-credentials-env-vars.
import { credentials } from '@outputai/credentials';
// Safe read — returns undefined if not found
const region = credentials.get('aws.region');
// Read with default
const region = credentials.get('aws.region', 'us-east-1');
// Strict read — throws MissingCredentialError if not found
const apiKey = credentials.require('anthropic.api_key');
Per-workflow credentials deep-merge over global credentials at runtime. Workflow values take precedence:
# Global: anthropic.api_key = "sk-ant-global"
# Workflow: anthropic.api_key = "sk-ant-workflow"
# Runtime result: credentials.get('anthropic.api_key') → "sk-ant-workflow"
| Error | Cause | Fix |
|---|---|---|
MissingKeyError | Key file not found and env var not set | Run output credentials init or set OUTPUT_CREDENTIALS_KEY |
MissingCredentialError | Path not found in credentials | Run npx output credentials edit and add the value |
aes/gcm: invalid ghash tag | Key doesn't match encrypted file | Key and .yml.enc are out of sync — re-init or use correct key |
npx output credentials show prints expected valuesnpx output credentials get anthropic.api_key returns the correct keyoutput-credentials-init — Create credentials files for the first timeoutput-credentials-env-vars — Automatically wire credentials to env varsoutput-dev-credentials — Full credentials system reference