From outputai
Manages encrypted secrets in Output SDK workflows using @outputai/credentials. Handles API keys, database passwords, and tokens via CLI init, edit, show, and get commands.
npx claudepluginhub growthxai/output --plugin outputaiThis skill is limited to using the following tools:
The `@outputai/credentials` package provides encrypted secrets management for Output SDK workflows. It replaces `process.env` patterns with a structured, encrypted YAML-based system that supports scoped credentials with deep merging.
View and edit encrypted credentials in Output.ai projects using npx output commands. Edit in $EDITOR, show plaintext, get single values via dot-notation for API keys and secrets.
Secures Claude Code sessions with nopeek CLI: loads .env secrets without exposing values, stores keys, redacts cloud CLI outputs to prevent API key leaks. Useful for secret and credential safety.
Audits and hardens API credentials with env vars, separation, rotation plans, least privilege, and auditability. Use for service integrations and production deployments.
Share bugs, ideas, or general feedback.
The @outputai/credentials package provides encrypted secrets management for Output SDK workflows. It replaces process.env patterns with a structured, encrypted YAML-based system that supports scoped credentials with deep merging.
process.env to encrypted credentialsMissingCredentialError, MissingKeyError)import { credentials } from '@outputai/credentials';
credentials.get(path, defaultValue?)Safe read with optional default. Never throws.
// Returns value or undefined
const region = credentials.get('aws.region');
// Returns value or default
const region = credentials.get('aws.region', 'us-east-1');
credentials.require(path)Strict read. Throws MissingCredentialError if not found.
const apiKey = credentials.require('anthropic.api_key');
import { MissingCredentialError, MissingKeyError } from '@outputai/credentials';
| Error | Thrown When | Fix |
|---|---|---|
MissingCredentialError | credentials.require() path not found | Add the credential via output credentials edit |
MissingKeyError | No decryption key available | Set OUTPUT_CREDENTIALS_KEY env var or create .key file |
# Initialize credentials (generates key + encrypted YAML template)
output credentials init # Global
output credentials init -e production # Environment-specific
output credentials init -w payment_processing # Workflow-specific
# Edit credentials (decrypts, opens $EDITOR, re-encrypts on save)
output credentials edit # Global
output credentials edit -e production # Environment
output credentials edit -w payment_processing # Workflow
# Show decrypted credentials (debugging)
output credentials show # Global
output credentials show -e development # Environment
# Get single credential value
output credentials get anthropic.api_key # Global
output credentials get stripe.key -w payment_processing # Workflow
Flags:
-e / --environment: Target environment (production, development)-w / --workflow: Target a specific workflow-f / --force: Overwrite existing credentials (init only)-e and -w are mutually exclusiveconfig/credentials.yml.enc # Encrypted YAML
config/credentials.key # Decryption key (DO NOT COMMIT)
Key env var: OUTPUT_CREDENTIALS_KEY
config/credentials/production.yml.enc
config/credentials/production.key
Key env var: OUTPUT_CREDENTIALS_KEY_PRODUCTION
src/workflows/{name}/credentials.yml.enc
src/workflows/{name}/credentials.key
Key env var: OUTPUT_CREDENTIALS_KEY_{WORKFLOW_NAME} (uppercased)
For each scope, the key is resolved in order:
OUTPUT_CREDENTIALS_KEY, OUTPUT_CREDENTIALS_KEY_{ENV}, or OUTPUT_CREDENTIALS_KEY_{WORKFLOW})config/credentials.key)MissingKeyError if neither foundWorkflow credentials fall back to the global key if no workflow-specific key exists.
When a workflow has its own credentials, they deep-merge over global credentials. Workflow values win at the same path:
# Global (config/credentials.yml.enc)
anthropic:
api_key: sk-ant-global
aws:
region: us-east-1
# Workflow (src/workflows/my_workflow/credentials.yml.enc)
anthropic:
api_key: sk-ant-workflow-specific
stripe:
secret_key: sk_live_workflow
# Merged result at runtime:
# anthropic.api_key -> sk-ant-workflow-specific (overridden by workflow)
# aws.region -> us-east-1 (from global)
# stripe.secret_key -> sk_live_workflow (added by workflow)
process.envimport { httpClient } from '@outputai/http';
const API_KEY = process.env.SERVICE_API_KEY || '';
const client = httpClient({
prefixUrl: 'https://api.service.com',
headers: { Authorization: `Bearer ${API_KEY}` }
});
import { httpClient } from '@outputai/http';
import { credentials } from '@outputai/credentials';
const apiKey = credentials.require('service.api_key');
const client = httpClient({
prefixUrl: 'https://api.service.com',
headers: { Authorization: `Bearer ${apiKey}` }
});
output credentials init to create the encrypted file and keyoutput credentials edit to add your secretsprocess.env.X reads with credentials.require('x') or credentials.get('x', default).env files*.key to .gitignoreReplace the default encrypted YAML backend with Vault, AWS Secrets Manager, etc.:
import { setProvider } from '@outputai/credentials';
setProvider({
loadGlobal: ({ environment }) => {
return fetchFromVault(`credentials/${environment || 'default'}`);
},
loadForWorkflow: ({ workflowName, environment }) => {
return fetchFromVault(`workflows/${workflowName}`) ?? null;
}
});
interface CredentialsProvider {
loadGlobal(context: { environment: string | undefined }): Record<string, unknown>;
loadForWorkflow(context: {
workflowName: string;
workflowDir: string | undefined;
environment?: string | undefined;
}): Record<string, unknown> | null;
}
.key files - Add *.key to .gitignore.yml.enc files - Cannot be read without the key0o600 (owner-only read/write)editOUTPUT_CREDENTIALS_KEY in your pipelinecredentials imported from @outputai/credentialscredentials.require() used for mandatory secrets (not process.env)credentials.get() used with default for optional values*.key listed in .gitignoreoutput credentials initoutput credentials editoutput-credentials-init - Initializing credentials files for the first timeoutput-credentials-edit - Viewing and editing credential valuesoutput-credentials-env-vars - Wiring credentials to env vars with the credential: conventionoutput-dev-http-client-create - Creating HTTP clients that use credentialsoutput-dev-step-function - Using credentials in step functionsoutput-error-http-client - Troubleshooting HTTP client issues