Configuration
Triks often need access to API keys, tokens, and other secrets. TrikHub provides a secure, isolated configuration system where each Trik can only access its own credentials.
The Problem
Without configuration isolation:
- A malicious trik could access another trik’s API keys
- Users would need to manage environment variables manually
- No validation of required credentials before execution
With TrikHub’s configuration system, each Trik declares what it needs, and users configure secrets once in a central location.
How Configuration Works
1. Declare Requirements in Manifest
Triks declare their configuration needs in manifest.json:
{
"config": {
"required": [
{ "key": "API_KEY", "description": "Your OpenAI API key" },
{ "key": "BASE_URL", "description": "API base URL" }
],
"optional": [
{ "key": "MODEL", "description": "Model name", "default": "gpt-4" }
]
}
}| Field | Description |
|---|---|
required | Trik fails to execute if these are missing |
optional | Trik works without these; can have defaults |
2. User Configuration
Users store secrets in JSON files, organized by trik ID:
Global configuration: ~/.trikhub/secrets.json
Applies to all projects on your machine:
{
"@molefas/gpt-trik": {
"API_KEY": "sk-...",
"BASE_URL": "https://api.openai.com/v1"
},
"@yourname/another-trik": {
"TOKEN": "abc123"
}
}Local configuration: .trikhub/secrets.json
Project-specific overrides (takes precedence over global):
{
"@molefas/gpt-trik": {
"API_KEY": "sk-different-key-for-this-project"
}
}3. Access in Your Trik
The gateway passes a config context to your trik with access to only its own configuration:
export const graph = {
async invoke({ action, input, config }) {
// Get a required config value
const apiKey = config.get('API_KEY')
// Get optional with fallback
const model = config.get('MODEL') ?? 'gpt-4'
// Check if a key is configured
if (!config.has('API_KEY')) {
return {
responseMode: 'template',
agentData: { template: 'missing_config' }
}
}
// List all available keys (for debugging)
console.log('Configured keys:', config.keys())
// Use the API key
const response = await fetch(config.get('BASE_URL') + '/chat', {
headers: { 'Authorization': `Bearer ${apiKey}` }
})
// ...
}
}Config Context API
| Method | Returns | Description |
|---|---|---|
get(key) | string | undefined | Get value by key, returns undefined if not set |
has(key) | boolean | Check if a key exists |
keys() | string[] | List all configured keys for this trik |
Security
Isolation
Each trik only sees its own configuration. A trik with ID @alice/trik-a cannot access configuration for @bob/trik-b, even if both are loaded in the same gateway.
No Logging
Configuration values are never exposed in logs or error messages. If a required config is missing, the error says “missing API_KEY” but never reveals actual values.
Local Overrides
Local project configuration (.trikhub/secrets.json) takes precedence over global (~/.trikhub/secrets.json). This allows:
- Different API keys per project
- Development vs production credentials
- Team-specific configurations
Validation
The gateway validates required configuration before executing a trik:
$ trik run @molefas/gpt-trik search --topic "AI"
Error: Missing required configuration for @molefas/gpt-trik:
- API_KEY: Your OpenAI API key
Configure in ~/.trikhub/secrets.json:
{
"@molefas/gpt-trik": {
"API_KEY": "your-key-here"
}
}Best Practices
- Describe keys clearly - Help users understand what each key is for
- Use defaults for optional config - Don’t require more than necessary
- Never hardcode secrets - Always use the config context
- Check before using - Validate config exists before making API calls
Next: Learn about Cross-Environment Execution for running triks across runtimes.