Skip to content

API Key Management

This document provides best practices for managing API keys with noidea.

Secure Storage

As of version v0.3.0, noidea securely stores API keys using your system's native keyring/keychain when available:

  • macOS: Uses the Keychain
  • Windows: Uses the Windows Credential Manager
  • Linux: Uses the Secret Service API (requires libsecret)

If the system keyring is unavailable, a fallback encrypted storage is used in ~/.noidea/secure/.

Setting Up Your API Key

You can set up your API key in several ways:

# Set up API key securely
noidea config apikey

# Check API key storage status
noidea config apikey-status

# Remove a stored API key
noidea config apikey-remove

# Generate commands to clean environment variables
noidea config clean-env

When setting up a key with noidea config apikey, the system will: 1. Prompt for the API key (input is hidden for security) 2. Validate the key with the provider to ensure it works 3. Store the key securely in your system's keyring or fallback storage

The apikey-status command will: 1. Show which storage system is being used 2. Check if your API key is valid with a test request 3. Display whether the key is working correctly

2. Using Environment Variables (Alternative)

You can still use environment variables if you prefer:

# For xAI
export XAI_API_KEY=your_api_key_here

# For OpenAI
export OPENAI_API_KEY=your_api_key_here

# For DeepSeek
export DEEPSEEK_API_KEY=your_api_key_here

# Generic (will use whatever provider is configured)
export NOIDEA_API_KEY=your_api_key_here

Important Note: Environment variables will take precedence over secure storage. If you want to use secure storage, make sure these environment variables are not set.

While still supported for backward compatibility, we recommend transitioning away from .env files:

# Create or edit ~/.noidea/.env
XAI_API_KEY=your_api_key_here

Provider Aliases

NoIdea supports a flexible provider aliasing system that maps different names to standard provider identifiers. This is helpful for users who might refer to the same provider by different names.

Built-in Aliases

The system comes with default aliases for common providers:

Standard Name Recognized Aliases
openai open-ai, gpt, chatgpt, davinci
xai x-ai, grok, x.ai
deepseek deep-seek, deepseek-ai
anthropic claude, anthropic-ai
mistral mistral-ai, mistralai

Custom Provider Aliases

You can define your own aliases by creating or editing the file ~/.noidea/secure/provider_aliases.json:

{
  "openai": ["openai-custom", "my-gpt"],
  "custom-provider": ["custom1", "custom2"]
}

When you first use the secure storage system, a template file is automatically created with examples.

Custom aliases are merged with the built-in ones, with your custom aliases taking precedence in case of conflicts.

For example, with the configuration above: - openai-custom would be normalized to openai - custom1 would be normalized to custom-provider - You can add entirely new providers not included in the built-in list

This feature is especially useful for: - Teams with custom naming conventions - Using providers not officially supported yet - Creating shortcuts for commonly used providers

API Key Priority Order

The system uses the following order of precedence when looking for API keys:

  1. Environment variables (highest priority)
  2. Secure storage (keyring/keychain or fallback encrypted file)
  3. Config file (lowest priority - not recommended for API keys)

If you've set up a key using secure storage but it's not being used, check if any environment variables are overriding it with:

noidea config apikey-status

To clean environment variables and use secure storage instead:

noidea config clean-env

This will generate commands you can run to remove API key environment variables.

API Key Security Best Practices

  1. Never commit API keys to version control
  2. Ensure .env files are in your .gitignore

  3. Use secure storage or environment variables instead

  4. Rotate keys periodically

  5. Change your API keys regularly

  6. Use noidea config apikey to update your stored key

  7. Use the least privileged key possible

  8. Only use keys with the permissions your application needs

  9. Monitor key usage

  10. Check the provider's dashboard for unusual activity

  11. Set up usage alerts if available

  12. Environment separation

  13. Use different keys for development and production

Troubleshooting

If you encounter issues with secure storage:

  1. Check storage status and key validity 
    noidea config apikey-status
    This command will verify:
  2. If your keyring is available
  3. If your API key is properly stored

  4. If your API key is valid and working

  5. Ensure dependencies are installed

  6. On Linux, install libsecret: sudo apt-get install libsecret-1-dev

  7. Remove environment variables

  8. If secure storage is working but not being used, environment variables may be taking precedence 

    noidea config clean-env

  9. If validation fails

  10. Check if your API key is correct
  11. Ensure you have an active subscription with the provider

  12. Check if your network can reach the provider's API servers

  13. Provider alias issues

  14. If your provider isn't being recognized correctly, check or customize the aliases in ~/.noidea/secure/provider_aliases.json
  15. Ensure the JSON file is valid and properly formatted

Migration from Previous Versions

If you're upgrading from a version before v0.3.0:

  1. Use the migration script to move your API key to secure storage: 

    ./scripts/migrate_to_secure.sh

  2. Or run noidea config apikey to set up your API key securely

  3. Remove any API keys from .env files or your config file

  4. Remove API key environment variables with: 

    noidea config clean-env

For more information, please see the Configuration Guide.