| name | output-credentials-env-vars |
| description | Wire encrypted credentials to environment variables using the credential: convention. Use when setting up LLM provider keys (ANTHROPIC_API_KEY, OPENAI_API_KEY) or any env var that should come from encrypted credentials. |
| allowed-tools | ["Read","Edit","Bash","Glob"] |
Credentials as Environment Variables
When to Use This Skill
- Setting up
ANTHROPIC_API_KEY or OPENAI_API_KEY from encrypted credentials
- Wiring any credential path to a
process.env variable automatically
- Migrating from plaintext
.env secrets to encrypted credentials
- Understanding why an env var is being resolved at worker startup
The credential: Convention
Any env var whose value starts with credential: is resolved from encrypted credentials at worker startup. The format is:
ENV_VAR_NAME=credential:<dot.path>
Example .env
ANTHROPIC_API_KEY=credential:anthropic.api_key
OPENAI_API_KEY=credential:openai.api_key
MY_SERVICE_TOKEN=credential:my_service.token
DATABASE_URL=credential:postgres.url
Encrypted credentials (config/credentials.yml.enc)
anthropic:
api_key: sk-ant-...
openai:
api_key: sk-...
my_service:
token: tok_live_...
postgres:
url: postgres://...
How It Works
- Worker loads
.env via dotenv — ANTHROPIC_API_KEY = "credential:anthropic.api_key"
- Worker loads all workflow activity files (importing
@outputai/credentials)
- Worker calls
runStartupHooks() — resolveCredentialRefs() runs
resolveCredentialRefs() scans process.env for credential: prefix values
- Each matching var is replaced with the actual decrypted credential value
ANTHROPIC_API_KEY is now "sk-ant-..." in process.env
- LLM SDK reads it normally when the first workflow activity runs
The _env Section in Credentials YAML
The credentials file can also declare the mapping directly in an _env section. New projects scaffold with this pre-configured:
anthropic:
api_key: sk-ant-...
openai:
api_key: sk-...
_env:
ANTHROPIC_API_KEY: anthropic.api_key
OPENAI_API_KEY: openai.api_key
Note: The _env section is metadata only — it documents the intended mapping but does not drive resolution. Resolution is driven by the credential: values in .env. Keep both in sync.
Precedence Rules
Real env var values always take precedence. If ANTHROPIC_API_KEY is already set to a non-credential: value (e.g. from the shell or a CI secret), it is never overwritten:
ANTHROPIC_API_KEY=sk-ant-real-override
ANTHROPIC_API_KEY=credential:anthropic.api_key
This means you can override any credential ref at deploy time without changing files.
Idempotency
After the first resolution, ANTHROPIC_API_KEY contains the real API key string — it no longer starts with credential:. Subsequent calls to resolveCredentialRefs() are no-ops for that variable.
Setting Up the Convention
Step 1: Initialize credentials (if not done)
npx output credentials init
npx output credentials edit
Step 2: Update .env
ANTHROPIC_API_KEY=credential:anthropic.api_key
OPENAI_API_KEY=credential:openai.api_key
Step 3: Verify
Start the worker and look for the log line:
Startup hooks resolved env vars {"vars":["ANTHROPIC_API_KEY","OPENAI_API_KEY"]}
If the log line appears, credentials are wired correctly.
Programmatic Access
If you need to call resolveCredentialRefs() outside of a worker context:
import { resolveCredentialRefs } from '@outputai/credentials';
const resolved = resolveCredentialRefs();
console.log('Resolved:', resolved);
Verification Checklist
Related Skills
output-credentials-init — Create the encrypted credentials file
output-credentials-edit — Add/update credential values
output-dev-credentials — Full credentials system reference