From outputai
Wires encrypted credentials to environment variables using credential: convention in .env files. Use for LLM API keys like ANTHROPIC_API_KEY, OPENAI_API_KEY or migrating plaintext secrets to encrypted config/credentials.yml.enc.
npx claudepluginhub growthxai/output --plugin outputaiThis skill is limited to using the following tools:
- Setting up `ANTHROPIC_API_KEY` or `OPENAI_API_KEY` from encrypted credentials
Manages encrypted secrets in Output SDK workflows using @outputai/credentials. Handles API keys, database passwords, and tokens via CLI init, edit, show, and get commands.
Manages environment variables securely to prevent secrets exposure in Claude sessions, terminals, logs, or git commits. Use for handling sensitive config in development workflows.
Securely manages environment variables with Varlock CLI. Masks secrets in terminals, logs, traces, Claude context. Validates via .env.schema for API keys, credentials.
Share bugs, ideas, or general feedback.
ANTHROPIC_API_KEY or OPENAI_API_KEY from encrypted credentialsprocess.env variable automatically.env secrets to encrypted credentialscredential: ConventionAny env var whose value starts with credential: is resolved from encrypted credentials at worker startup. The format is:
ENV_VAR_NAME=credential:<dot.path>
.env# These are resolved automatically from config/credentials.yml.enc
ANTHROPIC_API_KEY=credential:anthropic.api_key
OPENAI_API_KEY=credential:openai.api_key
# Any credential path works
MY_SERVICE_TOKEN=credential:my_service.token
DATABASE_URL=credential:postgres.url
config/credentials.yml.enc)anthropic:
api_key: sk-ant-... # → resolves ANTHROPIC_API_KEY
openai:
api_key: sk-... # → resolves OPENAI_API_KEY
my_service:
token: tok_live_... # → resolves MY_SERVICE_TOKEN
postgres:
url: postgres://... # → resolves DATABASE_URL
.env via dotenv — ANTHROPIC_API_KEY = "credential:anthropic.api_key"@outputai/credentials)runStartupHooks() — resolveCredentialRefs() runsresolveCredentialRefs() scans process.env for credential: prefix valuesANTHROPIC_API_KEY is now "sk-ant-..." in process.env_env Section in Credentials YAMLThe credentials file can also declare the mapping directly in an _env section. New projects scaffold with this pre-configured:
anthropic:
api_key: sk-ant-...
openai:
api_key: sk-...
_env:
ANTHROPIC_API_KEY: anthropic.api_key
OPENAI_API_KEY: openai.api_key
Note: The
_envsection is metadata only — it documents the intended mapping but does not drive resolution. Resolution is driven by thecredential:values in.env. Keep both in sync.
Real env var values always take precedence. If ANTHROPIC_API_KEY is already set to a non-credential: value (e.g. from the shell or a CI secret), it is never overwritten:
# Real value — never touched by resolveCredentialRefs
ANTHROPIC_API_KEY=sk-ant-real-override
# Placeholder — gets replaced at startup
ANTHROPIC_API_KEY=credential:anthropic.api_key
This means you can override any credential ref at deploy time without changing files.
After the first resolution, ANTHROPIC_API_KEY contains the real API key string — it no longer starts with credential:. Subsequent calls to resolveCredentialRefs() are no-ops for that variable.
npx output credentials init
npx output credentials edit # Add anthropic.api_key, openai.api_key
.env# Replace plaintext secrets with credential references
ANTHROPIC_API_KEY=credential:anthropic.api_key
OPENAI_API_KEY=credential:openai.api_key
Start the worker and look for the log line:
Startup hooks resolved env vars {"vars":["ANTHROPIC_API_KEY","OPENAI_API_KEY"]}
If the log line appears, credentials are wired correctly.
If you need to call resolveCredentialRefs() outside of a worker context:
import { resolveCredentialRefs } from '@outputai/credentials';
// Returns array of env var names that were resolved
const resolved = resolveCredentialRefs();
console.log('Resolved:', resolved);
// → ["ANTHROPIC_API_KEY", "OPENAI_API_KEY"]
config/credentials.yml.enc contains the target credential paths.env uses credential:<path> values for the relevant env varsStartup hooks resolved env varsANTHROPIC_API_KEY is set correctly)output-credentials-init — Create the encrypted credentials fileoutput-credentials-edit — Add/update credential valuesoutput-dev-credentials — Full credentials system reference