| sidebar_position |
|---|
11 |
A comprehensive guide for managing API keys, credentials, and other sensitive configuration in Eliza.
Eliza uses a hierarchical environment variable system that retrieves settings in this order:
- Character-specific secrets (highest priority)
- Character-specific settings
- Global environment variables
- Default values (lowest priority)
This allows you to override global settings for specific characters when needed.
# API Keys for Model Providers
OPENAI_API_KEY=sk-* # OpenAI API key
ANTHROPIC_API_KEY=your-key # Anthropic/Claude API key
GOOGLE_GENERATIVE_AI_API_KEY= # Gemini API key
GROQ_API_KEY=gsk-* # Groq API key
# Client Authentication
DISCORD_API_TOKEN= # Discord bot token
TELEGRAM_BOT_TOKEN= # Telegram bot token
TWITTER_USERNAME= # Twitter/X username
TWITTER_PASSWORD= # Twitter/X password
# Database Credentials
SUPABASE_URL= # Supabase URL
SUPABASE_ANON_KEY= # Supabase anonymous key
MONGODB_CONNECTION_STRING= # MongoDB connection string
# Blockchain Related
EVM_PRIVATE_KEY= # EVM private key with "0x" prefix
SOLANA_PRIVATE_KEY= # Solana wallet private key
SOLANA_PUBLIC_KEY= # Solana wallet public keyFor a complete list of supported environment variables, see the .env.example file in the project repository.
-
Create a
.envfile in your project root directory:cp .env.example .env
-
Add your secrets to this file:
# Model Provider OPENAI_API_KEY=sk-xxxxxxxxxxxxx # Clients DISCORD_API_TOKEN=xxxxxxxxxxxxxxxx
-
The
.envfile is automatically excluded from Git via.gitignoreto prevent accidental exposure.
Use the runtime.getSetting() method to access configuration values:
// In a plugin, action, or service
const apiKey = runtime.getSetting("OPENAI_API_KEY");
if (!apiKey) {
throw new Error("OpenAI API key not configured");
}
// With a fallback value
const temperature = runtime.getSetting("TEMPERATURE") || "0.7";This method automatically handles the environment variable hierarchy, checking character-specific secrets first, then character settings, and finally global environment variables.
Define secrets for individual characters in their character file:
{
"name": "FinancialAssistant",
"settings": {
"secrets": {
"OPENAI_API_KEY": "sk-character-specific-key",
"ALPHA_VANTAGE_API_KEY": "financial-data-api-key"
}
}
}Alternatively, use namespaced environment variables with this format:
CHARACTER.<CHARACTER_NAME>.<SECRET_NAME>=value
For example:
CHARACTER.TraderAgent.OPENAI_API_KEY=sk-character-specific-key
Keep separate environment files for different deployment contexts:
.env.development # Local development settings
.env.staging # Testing environment
.env.production # Production settingsLoad the appropriate file based on your NODE_ENV or custom environment flag.
Validate required secrets before using them:
function validateRequiredSecrets(runtime) {
const required = ["OPENAI_API_KEY", "DATABASE_URL"];
const missing = required.filter(key => !runtime.getSetting(key));
if (missing.length > 0) {
throw new Error(`Missing required secrets: ${missing.join(", ")}`);
}
}Avoid exposing secrets in error messages or logs:
try {
const apiKey = runtime.getSetting("API_KEY");
// Use API key...
} catch (error) {
// Log without exposing the secret
console.error("Error using API:", error.message);
// Don't log the actual API key!
}Validate API key formats before use:
// OpenAI API key validation
const apiKey = runtime.getSetting("OPENAI_API_KEY");
if (apiKey && !apiKey.startsWith("sk-")) {
throw new Error("Invalid OpenAI API key format");
}
// Mask before logging
const maskedKey = apiKey ? `${apiKey.substring(0, 5)}...` : "not set";
console.log("Using API key:", maskedKey);Take extra care with blockchain private keys:
// Retrieve private key from settings
const privateKey = runtime.getSetting("WALLET_PRIVATE_KEY");
// Validate private key format (example for EVM)
if (privateKey && !privateKey.match(/^(0x)?[0-9a-fA-F]{64}$/)) {
throw new Error("Invalid private key format");
}
// Use private key securely - NEVER log the actual key
console.log("Using wallet with address:", getAddressFromPrivateKey(privateKey));Implement periodic key rotation for production deployments:
- Generate new API keys/credentials
- Update environment variables or character secrets
- Verify functionality with new credentials
- Revoke old credentials
When deploying to cloud environments:
-
Use the platform's secrets management service:
- AWS: Secrets Manager or Parameter Store
- Google Cloud: Secret Manager
- Azure: Key Vault
- Vercel/Netlify: Environment Variables UI
-
Minimize secret access:
- Restrict which services can access which secrets
- Use short-lived credentials when possible
- Configure proper IAM roles and permissions
If settings aren't being found:
- Check that the
.envfile exists in the project root - Verify variable names match exactly (they're case-sensitive)
- Ensure the file is properly formatted with no spaces around equals signs
If character-specific secrets aren't being applied:
- Verify the character name in your namespaced variable matches exactly
- Check JSON syntax in the character file's
settings.secretsobject - Restart the application after changes to environment variables
If your entire .env file isn't being loaded:
// Add this near the start of your application
import dotenv from 'dotenv';
dotenv.config({ path: '.env.development' }); // Specify exact path if needed- Configuration Guide - General application configuration
- Character Files - Character-specific configuration
- Local Development - Development environment setup
- Deployment Guide - Secure production deployment