This guide provides comprehensive security best practices for managing API keys and sensitive configuration in Memori.
# β WRONG - Don't do this
git add .env
git commit -m "Add configuration"
# β
CORRECT - Keep secrets out of version control
git add .env.example # Template file only
git add .gitignore # Ensure .env is ignored# Set API key as environment variable
export OPENAI_API_KEY="sk-your-actual-api-key-here"
# Use in your application
python your_app.py# Create .env file for local development
cp .env.example .env
# Edit with your actual keys
nano .env
# Set secure permissions
chmod 600 .env# Set before running your application
export MEMORI_AGENTS__OPENAI_API_KEY="sk-your-key-here"
export MEMORI_DATABASE__CONNECTION_STRING="postgresql://user:pass@localhost/db"
# Run your application
python app.py# Create .env file
MEMORI_AGENTS__OPENAI_API_KEY=sk-your-key-here
MEMORI_DATABASE__CONNECTION_STRING=postgresql://user:pass@localhost/db.env to .gitignore and never commit it.
Use placeholders in configuration files:
{
"agents": {
"openai_api_key": "sk-your-key-here",
"default_model": "gpt-4o"
}
}Memori uses the following environment variable naming convention:
MEMORI_<SECTION>__<SETTING_NAME>
MEMORI_AGENTS__OPENAI_API_KEYMEMORI_DATABASE__CONNECTION_STRINGMEMORI_MEMORY__NAMESPACEMEMORI_LOGGING__LEVEL
# Database settings
export MEMORI_DATABASE__POOL_SIZE="20"
export MEMORI_DATABASE__CONNECTION_STRING="postgresql://..."
# Agent settings
export MEMORI_AGENTS__OPENAI_API_KEY="sk-..."
export MEMORI_AGENTS__DEFAULT_MODEL="gpt-4o"
# Memory settings
export MEMORI_MEMORY__NAMESPACE="production"
export MEMORI_MEMORY__CONTEXT_LIMIT="5"- AWS Secrets Manager
- Azure Key Vault
- Google Secret Manager
- HashiCorp Vault
# docker-compose.yml
services:
memori-app:
image: your-app
environment:
- MEMORI_AGENTS__OPENAI_API_KEY=${OPENAI_API_KEY}
- MEMORI_DATABASE__CONNECTION_STRING=${DATABASE_URL}# k8s-secret.yml
apiVersion: v1
kind: Secret
metadata:
name: memori-secrets
type: Opaque
data:
openai-api-key: <base64-encoded-key>
database-url: <base64-encoded-connection-string>- Create
.envfile from.env.example - Add
.envto.gitignore - Set secure file permissions (
chmod 600 .env) - Use environment variables for sensitive config
- Test configuration loading works correctly
- No API keys in repository
- No database passwords in repository
- No sensitive tokens in repository
-
.envfiles properly ignored - Configuration templates included
- Use secret management service
- Environment variables for all secrets
- No hardcoded secrets in code
- Regular key rotation schedule
- Access logging enabled
- Immediately rotate the key at the provider
- Check for unauthorized usage in your account
- Update all environments with new key
- Review access logs for suspicious activity
- Implement additional security measures (IP restrictions, etc.)
# 1. Generate new API key at provider
NEW_KEY="sk-new-key-here"
# 2. Update environment variables
export MEMORI_AGENTS__OPENAI_API_KEY="$NEW_KEY"
# 3. Update .env file
sed -i 's/sk-old-key.*/'$NEW_KEY'/g' .env
# 4. Restart applications
# 5. Verify everything works
# 6. Revoke old key at provider- OpenAI API Security
- OWASP API Security Top 10
- Environment Variables Best Practices
- GitHub Security Lab
If you discover a security vulnerability, please report it responsibly by contacting the security team at: [email protected]
Remember: Security is an ongoing process. Regularly review and update your security practices as threats evolve.