Skip to content

feat: inject API key from environment variable when config's apiKey is empty #42

Description

@Guo-Zhang

Motivation

Storing plain-text API keys in config.json is a security concern, especially in shared or CI environments. Many users already have API keys set as environment variables (e.g. DEEPSEEK_API_KEY, OPENAI_API_KEY).

Proposal

When a provider's apiKey is empty in config.json, fall back to environment variables before marking the config as incomplete:

  1. {PROVIDER_ID}_API_KEY (uppercased, dashes → underscores) — e.g. DEEPSEEK_V4_FLASH_API_KEY
  2. The config file's apiKey field remains empty — no keys written to disk

A reference implementation is available on the quanttide/iceCoder fork: feat/env-api-key-injection branch.

Questions for discussion

  • Should there be a generic fallback like OPENAI_API_KEY / DEEPSEEK_API_KEY in addition to the ID-specific one?
  • Should the Web UI's config page indicate when a key is sourced from env rather than the config file?
  • Should the config readiness check (isAppConfigReady) also consider env vars?

Prior art

  • Claude Code reads ANTHROPIC_API_KEY from env
  • OpenAI's official SDKs read OPENAI_API_KEY from env
  • iceCoder's DEFAULT_CONFIG already has a placeholder pattern (sk-your-api-key-here)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions