Skip to main content

How Credentials Are Resolved

Rusty resolves API keys through a tiered chain, checking each source in order. The first non-empty value found is used.

Resolution Order

1

Environment Variables

RUSTY_API_KEY is checked first, then OPENAI_API_KEY. Empty strings are treated as absent.
2

OS Keyring

If credential_store is set to "keyring" in settings, Rusty reads from the system keyring:
  • macOS: Keychain Access
  • Windows: Credential Manager
  • Linux: Secret Service (GNOME Keyring, KWallet)
3

Settings File

The api_key field in ~/.rusty/settings.json is used as a final fallback.

Credential Store Options

Stores the API key in the operating system’s secure credential store. This is the default and recommended option. 
{
  "credential_store": "keyring"
}
The keyring is managed automatically by the setup wizard. You can also manage it programmatically: 
# Check if keyring is available
rusty --setup

Settings File

Stores the API key in plaintext in ~/.rusty/settings.json. Use this if your platform does not have a keyring available (e.g., headless Linux without a desktop environment). 
{
  "credential_store": "settings_file",
  "api_key": "sk-..."
}
When using settings_file mode, the API key is stored in plaintext. Ensure appropriate file permissions on ~/.rusty/settings.json.

Multi-Provider Setup

If you switch between providers, you can store separate credentials using environment variables: 
export OPENAI_API_KEY=sk-openai-...
export RUSTY_API_KEY=sk-other-...
RUSTY_API_KEY always takes precedence over OPENAI_API_KEY.