Before: the standard .env approach
.env.local (must never be committed)
OPENAI_API_KEY=sk-proj-<YOUR_OPENAI_KEY>STRIPE_SECRET_KEY=sk_live_<YOUR_STRIPE_KEY>GITHUB_TOKEN=ghp_<YOUR_GITHUB_TOKEN>✗Must be excluded from git (.gitignore)
✗Cannot be shared with teammates without risk
✗Cannot be committed even to private repos safely
✗Each new developer must get real keys manually
Migration steps
- 1.
Create tokens in the KeyVault Edge dashboard
Go to Tokens → New Token for each API key you want to protect. Enter the real key, select the provider, and add your authorised origins (e.g.,
yourdomain.com,localhost). Copy the generatedkve_hb_...token. - 2.
Replace values in your .env file
.env (now safe to commit)OPENAI_API_KEY=kve_hb_<YOUR_OPENAI_TOKEN>OPENAI_BASE_URL=https://openai.keyvaultedge.com/v1 STRIPE_SECRET_KEY=kve_hb_<YOUR_STRIPE_TOKEN>STRIPE_BASE_URL=https://stripe.keyvaultedge.com GITHUB_TOKEN=kve_hb_<YOUR_GITHUB_TOKEN>GITHUB_API_BASE=https://github.keyvaultedge.com - 3.
Remove .env files from .gitignore (optional)
Your .env file no longer contains real credentials, so it can be tracked in git. This makes onboarding new developers trivial - they clone the repo and have a working environment immediately. You may still want to keep
.env.localgitignored for truly local-only overrides. - 4.
Verify nothing broke
Terminal# Run your test suite - SDK calls should work identicallynpm test # Or make a quick manual API callcurl https://openai.keyvaultedge.com/v1/models \ -H "Authorization: Bearer $OPENAI_API_KEY"
After: what you've gained
.env file is safe to commit to version control
New developers get working API access by cloning the repo
Real keys never touch developer machines or CI pipelines
Breach alert fires if token is used from an unauthorized origin
Revoke a token in 2 seconds from the dashboard without rotating the real key