opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 17 hours ago verified publisher icon anomalyco

[FEATURE]: Store provider credentials in environment variables

Open nagyv opened this issue 1 month ago • 1 comments

Feature hasn't been suggested before.

  • [x] I have verified this feature I'm about to request hasn't been suggested before.

Describe the enhancement you want to request

User problem

As a security minded user, I don't want to store api keys in files, especially not in a shared environment.

Instead of storing provider credentials in ~/.local/share/opencode/auth.json, I'd prefer to either have the location configurable (e.g. setting $OPENCODE_AUTH_JSON would tell opencode where it should read/write the auth.json file) or allow passing provider keys through environment variables.

Proposal

I see two different approaches

Configurable auth.json location (recommended)

Currently, the location of the opencode auth.json is hardcoded. We should make this configurable with the OPENCODE_AUTH_JSON environment variable. The default value can be ~/.local/share/opencode/auth.json to keep it backward compatible.

Passing provider keys from environment variables

I see three possible approaches:

  1. for every configured provider with an invalid/not configured apiKey, opencode looks for the OPENCODE_<PROVIDERNAME>_APIKEY environment variable
  2. for every known provider, opencode looks for the OPENCODE_<PROVIDERNAME>_APIKEY environment variable
  3. for every configured provider with type: "api", keyFrom: "envVar" opencode looks for the OPENCODE_<PROVIDERNAME>_APIKEY environment variable

Related issues

  • https://github.com/sst/opencode/issues/318 is the closes related, but it misses the configurable auth.json proposal that could work well in many situations

nagyv avatar Dec 12 '25 06:12 nagyv

This issue might be a duplicate of existing issues. Please check:

  • #4961: Feature Request: Zero-Trust Architecture for Environment Variable Security - Discusses protecting credentials when transmitted to LLM providers, with broader security scope
  • #318: feature: Ability to pass credentials without storing in environment file - Requests environment variable and command substitution support for provider credentials
  • #4318: [FEATURE]: Allow storage of secrets in system credential store - Proposes storing API keys in system keyring/credential stores instead of plaintext files

Feel free to ignore if your specific use case differs from these alternatives.

github-actions[bot] avatar Dec 12 '25 06:12 github-actions[bot]