Environment Variables Without Leaking Secrets
Environment variables are often necessary for providers, APIs, deployment tools, and integrations. They are also a common source of leaks in screenshots, logs, and public examples.
Safe documentation pattern
Use variable names without values:
OPENROUTER_API_KEY
ANTHROPIC_API_KEY
DISCORD_BOT_TOKENNever publish real tokens, OAuth refresh tokens, session cookies, webhook secrets, database URLs, or private service-account JSON.
Where secrets belong
Use Hermes auth flows, config-supported secret locations, environment files, or platform secret managers. Do not paste secrets into prompts or wiki articles.
Screenshot hygiene
Before publishing a terminal screenshot, check:
- Prompt path
- Command history
- Environment output
- Error traces
- Browser URL bar
- File names and tab titles
If a secret leaks
- Delete or unpublish the exposed material if possible.
- Rotate the secret immediately.
- Check logs and deployments that may have copied it.
- Replace public examples with fake values.
Good example
hermes auth add openai-codex
hermes config check
hermes doctorThis shows the workflow without revealing the credential.
