← rooo.pro

I stopped keeping API keys in plain text — handing the keyring to the AI for an afternoon

2026-06-25 / Issue 24 / a draft at the time of publishing

To have the AI draw a picture for me, or call an outside service, you need an "API key" — a long string of letters and numbers that proves you're allowed to use that service. It's basically a spare key. The question is where to keep that spare key, and on that front I'd been doing something clumsy for a long time.


Before: write the key to a notepad, use it, delete it

Take the image-generation key as an example. The routine used to go like this. Each time, copy the key out of the password manager and paste it into a temporary file on the desktop. The AI reads that file and does its work. When it's done, delete the temporary file.

It worked. But every single time there was this careful little dance: "copy the key," "delete it when you're finished." Forget to delete it, and a spare key sits there on the desktop in plain text. Accidentally paste it into a chat, and a copy lingers there too. Key management was being propped up by human attention — and human attention is the least reliable thing there is.

What I did: route the key handover through the AI

What I set up this time was a way for the password manager (I use 1Password) to be accessed from the command line. With that in place, the AI can pull a key straight from the vault only when it's needed — without ever writing the key itself out to a file.

The AI did almost all of the setup. I did exactly two things. One: tick a box in the app to "integrate with the command line." Two: respond to the fingerprint prompt that pops up at the moment a key is pulled. That was it.

Once the plumbing was in place, fetching a key came down to a single line:

op read "op://Dev/OpenAI/credential"

When the AI runs this, I get a one-touch fingerprint prompt; approve it, and the key lands in the AI's hands. No plain-text key is left anywhere — not in a file, not in a chat. The three steps of "copy, use, delete" folded down into a single unlock.

The AI found where its own key was already stored

The interesting part was a moment mid-task. After the new setup was in, the AI said "now let's move the existing keys into the vault" and started searching through my computer — were any keys sitting in config files or scripts as plain text?

It turned out there were none. Instead, the AI read its own memory and recalled, "the image-generation key is already in the vault, stored under this name." Then it tried fetching that key once, right there, to confirm it actually worked — and reported back, "got it."

So the migration was barely any work. My past self (the AI) had already tucked the key away properly. The only clumsiness left was that fetching it had been a manual chore — and that's the part this afternoon cleaned up.

When the tools line up, the routine gets simpler

This is a direct continuation of the last issue. I wrote about getting two PCs onto the same set of tools; this time, the vault key-handover joined that set of tools. The part you can least afford to be sloppy about — storing the keys — moved off of human attention and onto the app's mechanics.

And the AI wrote the new routine into its own memory: "fetch keys with this one line; the old step of copying to a temporary file is no longer needed." Next time I ask for an image, the AI should skip the manual copy entirely and pull the key straight from the vault. One more makeshift step quietly retired.

An honest caveat: still just one key

What I cleaned up this time is mostly the image-generation key. There are plenty of other spare keys — EC marketplaces, payment services, and so on. Bringing all of them into the same vault under the same convention is still ahead of me; what I did today was "establish the method and run it end-to-end on one key."

Even so, getting even one key into the "no more plain text, fetch it with a single unlock" shape is a big deal. From here, every time a new key shows up, it just goes into the same vault. Not having to agonize over where to put each key, every time — that was the best thing about today.