Add secure API key management via ccr config command #643
+349
−7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implements a secure credential storage system following Unix conventions similar to SSH, AWS CLI, npm, and Docker. ## Features - New 'ccr config' command for managing API keys - Stores keys in ~/.claude-code-router/keys with 0600 permissions - Keys take precedence over environment variables for easier management - Supports piped input for easy migration from env vars - Backward compatible - env vars still work as fallback ## Security Model Uses standard Unix file permissions as the security boundary, identical to ~/.ssh/id_rsa, ~/.aws/credentials, ~/.npmrc, etc. This follows the principle: 'If someone can read your home directory files, you're already compromised.' ## Usage - ccr config set <provider> # Store API key - ccr config get <provider> # Check if configured - ccr config list # List all providers - ccr config delete <provider> # Remove API key ## Migration from Environment Variables echo $CEREBRAS_API_KEY | ccr config set cerebras ## Future Enhancement The KeyStore interface is designed to support multiple backends. A follow-up PR will add native OS keychain support (macOS Keychain, Windows Credential Manager, Linux Secret Service) as an alternative backend for enhanced security.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #642
Summary
Implements secure credential storage for API keys, eliminating the need for environment variables or hardcoded keys in config.json.
Implementation Details
New
ccr configCommandccr config set <provider>- Store API key (supports interactive and piped input)ccr config get <provider>- Check if key is configured (never shows full key)ccr config list- List all configured providers with masked keysccr config delete <provider>- Remove stored API keyStorage Approach
~/.claude-code-router/keysas JSONIntegration
interpolateEnvVarsto check keystore first, then environment variablesArchitecture
KeyStoreinterface for future extensibilityFileKeyStoreusing filesystem with strict permissionsNativeKeyStorefor OS keychains (macOS Keychain, Windows Credential Manager, Linux Secret Service)Testing
Security Considerations
Migration Path
Next Steps
Future PR will add optional native OS keychain support via @napi-rs/keyring for users who want additional security beyond filesystem permissions.