.security.yml Reference
API keys and secrets are never stored in config.json. They live in a separate .security.yml file placed alongside config.json in ~/.khunquant/. At startup, KhunQuant loads .security.yml into an in-memory cache and resolves all SecureString fields.
File location
~/.khunquant/
├── config.json ← structure and feature flags (no secrets)
└── .security.yml ← all API keys and credentials
SecureString value prefixes
Each value in .security.yml can use one of four formats:
| Prefix | Example | Behaviour |
|---|---|---|
| (plain) | sk-ant-abc123 | Value used as-is |
enc:// | enc://AgBx9k... | Decrypted at startup using the local key |
env:// | env://ANTHROPIC_API_KEY | Read from environment variable |
file:// | file:///run/secrets/api_key | Read from file path |
Example .security.yml
model_list:
- model_name: claude
api_key: env://ANTHROPIC_API_KEY
- model_name: gpt4o
api_key: sk-...
- model_name: local
api_key: ollama
channels:
telegram:
token: env://TELEGRAM_BOT_TOKEN
pico:
token: enc://AgBx9kZ...
exchanges:
binance:
api_key: env://BINANCE_API_KEY
secret: env://BINANCE_SECRET
settrade:
api_key: env://SETTRADE_API_KEY
secret: env://SETTRADE_SECRET
Never commit
.security.ymlAdd .security.yml to your .gitignore. It contains plaintext secrets unless you use enc:// values.
JSON config side
In config.json, SecureString fields always serialise as "[NOT_HERE]" — this is intentional and safe to commit. The actual value is resolved only from .security.yml at runtime.