Motivation
Storing plain-text API keys in config.json is a security concern, especially in shared or CI environments. Many users already have API keys set as environment variables (e.g. DEEPSEEK_API_KEY, OPENAI_API_KEY).
Proposal
When a provider's apiKey is empty in config.json, fall back to environment variables before marking the config as incomplete:
{PROVIDER_ID}_API_KEY (uppercased, dashes → underscores) — e.g. DEEPSEEK_V4_FLASH_API_KEY
- The config file's
apiKey field remains empty — no keys written to disk
A reference implementation is available on the quanttide/iceCoder fork: feat/env-api-key-injection branch.
Questions for discussion
- Should there be a generic fallback like
OPENAI_API_KEY / DEEPSEEK_API_KEY in addition to the ID-specific one?
- Should the Web UI's config page indicate when a key is sourced from env rather than the config file?
- Should the config readiness check (
isAppConfigReady) also consider env vars?
Prior art
- Claude Code reads
ANTHROPIC_API_KEY from env
- OpenAI's official SDKs read
OPENAI_API_KEY from env
- iceCoder's
DEFAULT_CONFIG already has a placeholder pattern (sk-your-api-key-here)
Motivation
Storing plain-text API keys in
config.jsonis a security concern, especially in shared or CI environments. Many users already have API keys set as environment variables (e.g.DEEPSEEK_API_KEY,OPENAI_API_KEY).Proposal
When a provider's
apiKeyis empty inconfig.json, fall back to environment variables before marking the config as incomplete:{PROVIDER_ID}_API_KEY(uppercased, dashes → underscores) — e.g.DEEPSEEK_V4_FLASH_API_KEYapiKeyfield remains empty — no keys written to diskA reference implementation is available on the
quanttide/iceCoderfork:feat/env-api-key-injectionbranch.Questions for discussion
OPENAI_API_KEY/DEEPSEEK_API_KEYin addition to the ID-specific one?isAppConfigReady) also consider env vars?Prior art
ANTHROPIC_API_KEYfrom envOPENAI_API_KEYfrom envDEFAULT_CONFIGalready has a placeholder pattern (sk-your-api-key-here)