nikolas.sapa
MeProjectsDev WorkWritingResourcesTimelineContact
April 16, 2026

14 — Secrets & Env

Where API keys live, what ends up in git, what needs rotating. The boring stuff that matters the day someone sees your repo.

Security note: This page lists key names, file paths, and purposes only. No actual secret values.

The rule

Keep credentials in dedicated config files — never in settings.json, never in shell rc files.

Each tool has a canonical config location. Use it. Don't export ANTHROPIC_API_KEY=... in ~/.zshrc. That leaks into every process you run.

Where secrets typically live

Different credential types have different canonical homes:

CategoryStorage pattern
LLM API keys (Anthropic, Groq, OpenAI, etc.)A dedicated ~/.config/<provider>/.env per provider
Messaging / bot integrations~/.claude/channels/<integration>/.env or equivalent plugin state dir
Deploy tokens (Vercel, Fly, Netlify, Railway)CLI-managed keyring — authenticate with the provider's CLI, not a file
Cloud provider credentials (AWS, GCP, Azure)CLI-managed — gcloud auth login, aws configure, etc.
Claude Code session~/.claude/ (CLI-managed) — don't touch manually

OAuth MCPs (Notion, Figma, Slack, Google Drive, Gmail, and similar) store their tokens inside the plugin layer. You re-authenticate through Claude Code, not by editing a file.

Claude Code settings — env block

File: ~/.claude/settings.json

"env": {
  "CLAUDE_CODE_DISABLE_AUTO_MEMORY": "1",
  "CLAUDE_CODE_SUBAGENT_MODEL": "sonnet"
}

These are injected into every Claude Code process:

  • CLAUDE_CODE_DISABLE_AUTO_MEMORY=1 — turns off the built-in auto-memory feature (useful if you manage memory yourself)
  • CLAUDE_CODE_SUBAGENT_MODEL=sonnet — default model for spawned subagents

No API keys here. This block is for behaviour flags, not credentials.

Re-authenticating MCPs

Most MCP tokens expire silently. When a tool starts failing, re-auth is usually the fix.

  • Inside Claude Code: run /mcp, pick the server, re-authenticate in the browser.
  • From a CLI: gh auth login --web, vercel login, gcloud auth login, stripe login.
  • Tokens in an .env file (Groq, Telegram, Anthropic API): regenerate at the provider dashboard, paste into the file.

Project .env files

Every project has its own .env (or .env.local, .env.production) for app-specific keys — database URLs, Stripe keys, webhook secrets.

Three rules:

  1. Every .env* file goes in .gitignore. No exceptions.
  2. Never commit an example .env with real values. Use .env.example with placeholders.
  3. After rotating a project-level key, redeploy or restart the running service.

Rotation checklist

When rotating any credential:

  1. LLM API keys (Anthropic, Groq, etc.) → regenerate at the provider dashboard, paste into the relevant ~/.config/<provider>/.env
  2. Bot / messaging integrations → regenerate at the provider, paste into the integration's .env file
  3. GitHubgh auth refresh (keyring auto-updates)
  4. Deploy CLIs (Vercel, Netlify, Fly, etc.) → run the provider's login command (vercel login, flyctl auth login, etc.)
  5. Cloud providersgcloud auth login, aws configure, etc.
  6. OAuth MCPs (Notion, Figma, Slack, Google) → re-run the authenticate tool inside Claude Code

After rotating anything a deployed service uses, trigger a redeploy.