Stats
Actions
Tags
From outputai
Manages encrypted secrets in Output SDK workflows using @outputai/credentials. Handles API keys, database passwords, and tokens via CLI init, edit, show, and get commands.
How this skill is triggered — by the user, by Claude, or both
Slash command
/outputai:output-dev-credentialsThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
The `@outputai/credentials` package provides encrypted secrets management for Output SDK workflows. It replaces `process.env` patterns with a structured, encrypted YAML-based system that supports scoped credentials with deep merging.
The @outputai/credentials package provides encrypted secrets management for Output SDK workflows. It replaces process.env patterns with a structured, encrypted YAML-based system that supports scoped credentials with deep merging.
process.env to encrypted credentialsMissingCredentialError, MissingKeyError)import { credentials } from '@outputai/credentials';
credentials.get(path, defaultValue?)Safe read with optional default. Never throws.
// Returns value or undefined
const region = credentials.get('aws.region');
// Returns value or default
const region = credentials.get('aws.region', 'us-east-1');
credentials.require(path)Strict read. Throws MissingCredentialError if not found.
const apiKey = credentials.require('anthropic.api_key');
import { MissingCredentialError, MissingKeyError } from '@outputai/credentials';
| Error | Thrown When | Fix |
|---|---|---|
MissingCredentialError | credentials.require() path not found | Add the credential via output credentials edit |
MissingKeyError | No decryption key available | Set OUTPUT_CREDENTIALS_KEY env var or create .key file |
# Initialize credentials (generates key + encrypted YAML template)
output credentials init # Global
output credentials init -e production # Environment-specific
output credentials init -w payment_processing # Workflow-specific
# Edit credentials (decrypts, opens $EDITOR, re-encrypts on save)
output credentials edit # Global
output credentials edit -e production # Environment
output credentials edit -w payment_processing # Workflow
# Show decrypted credentials (debugging)
output credentials show # Global
output credentials show -e development # Environment
# Get single credential value
output credentials get anthropic.api_key # Global
output credentials get stripe.key -w payment_processing # Workflow
Flags:
-e / --environment: Target environment (production, development)-w / --workflow: Target a specific workflow-f / --force: Overwrite existing credentials (init only)-e and -w are mutually exclusiveconfig/credentials.yml.enc # Encrypted YAML
config/credentials.key # Decryption key (DO NOT COMMIT)
Key env var: OUTPUT_CREDENTIALS_KEY
config/credentials/production.yml.enc
config/credentials/production.key
Key env var: OUTPUT_CREDENTIALS_KEY_PRODUCTION
src/workflows/{name}/credentials.yml.enc
src/workflows/{name}/credentials.key
Key env var: OUTPUT_CREDENTIALS_KEY_{WORKFLOW_NAME} (uppercased)
For each scope, the key is resolved in order:
OUTPUT_CREDENTIALS_KEY, OUTPUT_CREDENTIALS_KEY_{ENV}, or OUTPUT_CREDENTIALS_KEY_{WORKFLOW})config/credentials.key)MissingKeyError if neither foundWorkflow credentials fall back to the global key if no workflow-specific key exists.
When a workflow has its own credentials, they deep-merge over global credentials. Workflow values win at the same path:
# Global (config/credentials.yml.enc)
anthropic:
api_key: sk-ant-global
aws:
region: us-east-1
# Workflow (src/workflows/my_workflow/credentials.yml.enc)
anthropic:
api_key: sk-ant-workflow-specific
stripe:
secret_key: sk_live_workflow
# Merged result at runtime:
# anthropic.api_key -> sk-ant-workflow-specific (overridden by workflow)
# aws.region -> us-east-1 (from global)
# stripe.secret_key -> sk_live_workflow (added by workflow)
process.envimport { httpClient } from '@outputai/http';
const API_KEY = process.env.SERVICE_API_KEY || '';
const client = httpClient({
prefixUrl: 'https://api.service.com',
headers: { Authorization: `Bearer ${API_KEY}` }
});
import { httpClient } from '@outputai/http';
import { credentials } from '@outputai/credentials';
const apiKey = credentials.require('service.api_key');
const client = httpClient({
prefixUrl: 'https://api.service.com',
headers: { Authorization: `Bearer ${apiKey}` }
});
output credentials init to create the encrypted file and keyoutput credentials edit to add your secretsprocess.env.X reads with credentials.require('x') or credentials.get('x', default).env files*.key to .gitignoreReplace the default encrypted YAML backend with Vault, AWS Secrets Manager, etc.:
import { setProvider } from '@outputai/credentials';
setProvider({
loadGlobal: ({ environment }) => {
return fetchFromVault(`credentials/${environment || 'default'}`);
},
loadForWorkflow: ({ workflowName, environment }) => {
return fetchFromVault(`workflows/${workflowName}`) ?? null;
}
});
interface CredentialsProvider {
loadGlobal(context: { environment: string | undefined }): Record<string, unknown>;
loadForWorkflow(context: {
workflowName: string;
workflowDir: string | undefined;
environment?: string | undefined;
}): Record<string, unknown> | null;
}
.key files - Add *.key to .gitignore.yml.enc files - Cannot be read without the key0o600 (owner-only read/write)editOUTPUT_CREDENTIALS_KEY in your pipelinecredentials imported from @outputai/credentialscredentials.require() used for mandatory secrets (not process.env)credentials.get() used with default for optional values*.key listed in .gitignoreoutput credentials initoutput credentials editoutput-credentials-init - Initializing credentials files for the first timeoutput-credentials-edit - Viewing and editing credential valuesoutput-credentials-env-vars - Wiring credentials to env vars with the credential: conventionoutput-dev-http-client-create - Creating HTTP clients that use credentialsoutput-dev-step-function - Using credentials in step functionsoutput-error-http-client - Troubleshooting HTTP client issuesnpx claudepluginhub growthxai/output --plugin outputaiView and edit encrypted credentials in Output.ai projects using npx output commands. Edit in $EDITOR, show plaintext, get single values via dot-notation for API keys and secrets.
Enforces secret management best practices: never hardcode credentials, use environment variables or secret managers (AWS Secrets Manager, HashiCorp Vault), and validate startup configuration.
Secures Claude Code sessions with nopeek CLI: loads .env secrets without exposing values, stores keys, redacts cloud CLI outputs to prevent API key leaks. Useful for secret and credential safety.