NEVER commit API keys or secrets to the repository!
-
Use Environment Variables
- Store API keys in
.envfiles (which are gitignored) - Use
.env.exampleas a template (without real keys) - Access keys via
os.getenv()in Python orprocess.envin TypeScript
- Store API keys in
-
Workflow Files
- Never hardcode API keys in workflow JSON files
- Use template placeholders:
{API_KEY_NAME} - Inject keys via Python/TypeScript nodes that read from environment variables
-
Example: Injecting API Keys
Python Node (before HTTP node):
import os def run(input): api_key = os.getenv('POLYGON_API_KEY', '') return { **input, 'POLYGON_API_KEY': api_key }
HTTP Node Config:
{ "url": "https://api.example.com/data?apiKey={POLYGON_API_KEY}" } -
LLM Nodes
- Use
api_key_nameto reference environment variables - Or use per-node API key override (stored securely in DB, not in JSON export)
- Never hardcode keys in workflow JSON
- Use
- Immediately rotate/revoke the exposed key
- Remove it from git history (if not yet pushed):
git filter-branch --force --index-filter \ "git rm --cached --ignore-unmatch path/to/file" \ --prune-empty --tag-name-filter cat -- --all - If already pushed: Rotate the key and consider using git-secrets or BFG Repo-Cleaner
- Use
.gitignoreto exclude.envfiles - Use the provided
scripts/pre-commit-check.shhook to detect API keys before committing - Review workflow JSON files before committing
- Use
.env.exampleas a template (never commit actual.env)
To automatically check for API keys before committing:
# Make the script executable (already done)
chmod +x scripts/pre-commit-check.sh
# Install as git hook
ln -s ../../scripts/pre-commit-check.sh .git/hooks/pre-commitThis will block commits that contain potential API keys.
Create a .env file in the project root (or api/.env for backend):
# Copy from .env.example
cp .env.example .env
# Edit .env and add your actual keys
# NEVER commit this file!