Credentials System
The credentials system in Airtrain provides a secure and flexible way to manage API keys and authentication tokens for various services and integrations. This document explains how credentials are managed and why Airtrain uses a dedicated credentials approach.
Credential Classes
Airtrain implements a variety of credential classes, all inheriting from a BaseCredentials class. Each integration typically has its own credential class, such as:
OpenAICredentialsAnthropicCredentialsFireworksCredentialsTogetherAICredentialsGeminiCredentials- And more...
Why Separate Credential Classes?
While environment variables could be used directly in code, Airtrain deliberately uses separate credential classes for several important reasons:
Enhanced Security
Dedicated credential classes provide better security through:
- Consistent handling of sensitive information
- Built-in validation to prevent invalid credentials
- Use of
SecretStrand other secure types to prevent exposing keys in logs - Separation of concerns, keeping authentication distinct from business logic
Environment Flexibility
Separate credential classes support seamless transitions between environments:
- During local development, credentials can be managed through environment variables
- In production deployments, credentials can be loaded from external services
- Credential rotation and management becomes significantly easier
- Moving from development to production requires minimal code changes
External Service Integration
Credential classes enable integration with various credential management systems:
- AWS Secrets Manager
- Google Secret Manager
- Azure Key Vault
- HashiCorp Vault
- Custom credential management services
Secure Storage Options
Users have multiple options for secure credential storage:
- Environment variables for simple development scenarios
- Encrypted files for shared computing environments
- Credential vaults for enhanced security
- Role-based authentication in production environments
Comprehensive Audit and Logging
Separate credential classes facilitate:
- Logging when credentials are accessed
- Tracking which agent or skill used specific credentials
- Detecting potential credential misuse
- Meeting compliance requirements for access auditing
Best Practices
When working with credentials in Airtrain:
- Never hardcode credentials in your application code
- Use the provided methods for loading credentials:
Credentials.from_env()for environment variablesCredentials.from_file()for file-based storage
- Validate credentials before using them with the
validate_credentials()method - Follow the principle of least privilege when setting up API keys
- Rotate credentials regularly in production environments