Stats
Actions
Tags
From outputai
View and edit encrypted credentials in Output.ai projects using npx output commands. Edit in $EDITOR, show plaintext, get single values via dot-notation for API keys and secrets.
How this skill is triggered — by the user, by Claude, or both
Slash command
/outputai:output-credentials-editThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
- Adding or updating API keys and secrets
$EDITOR)# Edit global credentials
npx output credentials edit
# Edit environment-specific
npx output credentials edit -e production
npx output credentials edit -e staging
# Edit per-workflow credentials
npx output credentials edit -w my_workflow
The file is decrypted to a temp file, opened in $EDITOR, then re-encrypted on save. The temp file is securely wiped (overwritten with null bytes) after closing.
# Show global credentials (plaintext — use carefully)
npx output credentials show
# Show environment-specific
npx output credentials show -e production
# Show per-workflow
npx output credentials show -w my_workflow
# Get a single credential by dot-notation path
npx output credentials get anthropic.api_key
npx output credentials get aws.region
npx output credentials get stripe.secret_key -w payment_processing
Returns the raw string value (or JSON for nested objects).
Credentials are stored as structured YAML with dot-notation access:
anthropic:
api_key: sk-ant-...
openai:
api_key: sk-...
aws:
region: us-east-1
access_key_id: AKIA...
secret_access_key: ...
stripe:
secret_key: sk_live_...
webhook_secret: whsec_...
_env:
ANTHROPIC_API_KEY: anthropic.api_key
OPENAI_API_KEY: openai.api_key
The _env section maps credential paths to environment variables. See output-credentials-env-vars.
import { credentials } from '@outputai/credentials';
// Safe read — returns undefined if not found
const region = credentials.get('aws.region');
// Read with default
const region = credentials.get('aws.region', 'us-east-1');
// Strict read — throws MissingCredentialError if not found
const apiKey = credentials.require('anthropic.api_key');
Per-workflow credentials deep-merge over global credentials at runtime. Workflow values take precedence:
# Global: anthropic.api_key = "sk-ant-global"
# Workflow: anthropic.api_key = "sk-ant-workflow"
# Runtime result: credentials.get('anthropic.api_key') → "sk-ant-workflow"
| Error | Cause | Fix |
|---|---|---|
MissingKeyError | Key file not found and env var not set | Run output credentials init or set OUTPUT_CREDENTIALS_KEY |
MissingCredentialError | Path not found in credentials | Run npx output credentials edit and add the value |
aes/gcm: invalid ghash tag | Key doesn't match encrypted file | Key and .yml.enc are out of sync — re-init or use correct key |
npx output credentials show prints expected valuesnpx output credentials get anthropic.api_key returns the correct keyoutput-credentials-init — Create credentials files for the first timeoutput-credentials-env-vars — Automatically wire credentials to env varsoutput-dev-credentials — Full credentials system referencenpx claudepluginhub growthxai/output --plugin outputaiManages encrypted secrets in Output SDK workflows using @outputai/credentials. Handles API keys, database passwords, and tokens via CLI init, edit, show, and get commands.
Secures Claude Code sessions with nopeek CLI: loads .env secrets without exposing values, stores keys, redacts cloud CLI outputs to prevent API key leaks. Useful for secret and credential safety.
Enforces secret management best practices: never hardcode credentials, use environment variables or secret managers (AWS Secrets Manager, HashiCorp Vault), and validate startup configuration.