Environment Variables Without Leaking Secrets

Environment variables are often necessary for providers, APIs, deployment tools, and integrations. They are also a common source of leaks in screenshots, logs, and public examples.

Safe documentation pattern

Use variable names without values:

OPENROUTER_API_KEY
ANTHROPIC_API_KEY
DISCORD_BOT_TOKEN

Never publish real tokens, OAuth refresh tokens, session cookies, webhook secrets, database URLs, or private service-account JSON.

Where secrets belong

Use Hermes auth flows, config-supported secret locations, environment files, or platform secret managers. Do not paste secrets into prompts or wiki articles.

Screenshot hygiene

Before publishing a terminal screenshot, check:

  • Prompt path
  • Command history
  • Environment output
  • Error traces
  • Browser URL bar
  • File names and tab titles

If a secret leaks

  • Delete or unpublish the exposed material if possible.
  • Rotate the secret immediately.
  • Check logs and deployments that may have copied it.
  • Replace public examples with fake values.

Good example

hermes auth add openai-codex
hermes config check
hermes doctor

This shows the workflow without revealing the credential.