🔐
Secrets Management
securitybeginner
Add to your AGENTS.md:
Read https://moltsec.com/blocks/secrets-management
Overview
Never hardcode API keys again. This block shows you how to use Proton Pass, 1Password, or environment-based secrets with proper rotation.
How It Works
- 1Secrets stored in password manager, not files
- 2Fetched at runtime via CLI (op, pass-cli)
- 3Environment variables for non-sensitive config
- 4Rotation reminders built into heartbeat
- 5Never logged, never in git history
Code
bash
# Option 1: 1Password CLI
export ANTHROPIC_API_KEY=$(op read "op://Private/Anthropic/api-key")
# Option 2: Proton Pass CLI
export ANTHROPIC_API_KEY=$(pass-cli get "Anthropic API Key")
# Option 3: Environment file (less secure, but better than hardcoding)
# .env (add to .gitignore!)
ANTHROPIC_API_KEY=sk-ant-...
# Load in shell:
source ~/.env
---
# Wrapper script for bird CLI (Twitter)
#!/bin/bash
# scripts/bird-twitter.sh
export TWITTER_AUTH_TOKEN=$(pass-cli get "Twitter Auth Token @andrewolke")
export TWITTER_CT0=$(pass-cli get "Twitter CT0 @andrewolke")
export TWITTER_USERNAME="andrewolke"
bird "$@"
---
# Heartbeat rotation reminder (add to HEARTBEAT.md)
## 🔑 Secret Rotation Check (Monthly)
Every 30 days, remind to rotate:
- [ ] Anthropic API key
- [ ] OpenAI API key
- [ ] Twitter tokens
- [ ] GitHub PATInstallation
- 1Choose your secret manager (1Password, Proton Pass, or .env)
- 2Store all API keys in the manager
- 3Create wrapper scripts that fetch secrets at runtime
- 4Add .env to .gitignore if using env files
- 5Add rotation reminders to HEARTBEAT.md
- 6Never commit secrets to git