From 8154f7149fb4e97eb3d6afa8ae94b41bb6aadb53 Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 6 Jul 2026 23:09:10 +0000 Subject: [PATCH] Advise plugin authors on naming secret configuration keys /-/config redacts values for keys whose names contain secret, key, password, token, hash or dsn. Plugins that follow that naming get automatic redaction; plugins that don't will leak their secrets on that endpoint. Co-Authored-By: Claude Fable 5 Claude-Session: https://claude.ai/code/session_01GrHZSypDfMnym1tM5XJAFZ --- docs/plugins.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/plugins.rst b/docs/plugins.rst index d2b5c20a..d32a9fe6 100644 --- a/docs/plugins.rst +++ b/docs/plugins.rst @@ -459,6 +459,8 @@ Secret configuration values Some plugins may need configuration that should stay secret - API keys for example. There are two ways in which you can store secret configuration values. +The :ref:`/-/config ` introspection endpoint redacts the values of any configuration keys whose names contain one of these substrings: ``secret``, ``key``, ``password``, ``token``, ``hash`` or ``dsn``. Name your plugin's secret configuration keys accordingly - for example ``api_key`` or ``client_secret`` - so they are automatically redacted there. + **As environment variables**. If your secret lives in an environment variable that is available to the Datasette process, you can indicate that the configuration value should be read from that environment variable like so: .. [[[cog