Skip to content

Add secure API key management via ccr config command #643

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
didgeoridoo wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add secure API key management via ccr config command #643

didgeoridoo wants to merge 1 commit into from

Conversation

@didgeoridoo
Copy link

@didgeoridoo didgeoridoo commented Aug 19, 2025

Fixes #642

Summary

Implements secure credential storage for API keys, eliminating the need for environment variables or hardcoded keys in config.json.

Implementation Details

New ccr config Command

  • ccr config set <provider> - Store API key (supports interactive and piped input)
  • ccr config get <provider> - Check if key is configured (never shows full key)
  • ccr config list - List all configured providers with masked keys
  • ccr config delete <provider> - Remove stored API key

Storage Approach

  • Keys stored in ~/.claude-code-router/keys as JSON
  • File permissions set to 0600 (owner read/write only)
  • Follows same security model as SSH, AWS CLI, npm, Docker
  • Cross-platform compatible (Unix permissions on Linux/macOS, user profile isolation on Windows)

Integration

  • Modified interpolateEnvVars to check keystore first, then environment variables
  • Fully backward compatible - existing env var setups continue to work
  • Warning shown when both keystore and env var exist (keystore takes precedence)

Architecture

  • Clean KeyStore interface for future extensibility
  • Current implementation: FileKeyStore using filesystem with strict permissions
  • Future PR can add NativeKeyStore for OS keychains (macOS Keychain, Windows Credential Manager, Linux Secret Service)

Testing

  • Tested storing, retrieving, listing, and deleting keys
  • Verified integration with Cerebras API
  • Confirmed backward compatibility with environment variables
  • Tested piped input for easy migration

Security Considerations

  • No new dependencies required
  • Keys never displayed in full
  • Same security boundary as other CLI tools (filesystem permissions)
  • No encryption complexity that could fail - simple and reliable

Migration Path

# Easy migration from environment variables
echo $CEREBRAS_API_KEY | ccr config set cerebras
unset CEREBRAS_API_KEY

Next Steps

Future PR will add optional native OS keychain support via @napi-rs/keyring for users who want additional security beyond filesystem permissions.

@didgeoridoo
Add secure API key management with ccr config command
968ccf1 
Implements a secure credential storage system following Unix conventions
similar to SSH, AWS CLI, npm, and Docker.

## Features
- New 'ccr config' command for managing API keys
- Stores keys in ~/.claude-code-router/keys with 0600 permissions
- Keys take precedence over environment variables for easier management
- Supports piped input for easy migration from env vars
- Backward compatible - env vars still work as fallback

## Security Model
Uses standard Unix file permissions as the security boundary, identical
to ~/.ssh/id_rsa, ~/.aws/credentials, ~/.npmrc, etc. This follows the
principle: 'If someone can read your home directory files, you're
already compromised.'

## Usage
- ccr config set <provider>    # Store API key
- ccr config get <provider>    # Check if configured
- ccr config list              # List all providers
- ccr config delete <provider> # Remove API key

## Migration from Environment Variables
echo $CEREBRAS_API_KEY | ccr config set cerebras

## Future Enhancement
The KeyStore interface is designed to support multiple backends.
A follow-up PR will add native OS keychain support (macOS Keychain,
Windows Credential Manager, Linux Secret Service) as an alternative
backend for enhanced security.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Enhancement: Add secure API key management via ccr config command

1 participant

@didgeoridoo