Secure credentials

Keep Veracity credentials out of AI prompts and source code so they are never sent to an LLM provider or committed to version control.

Keep your Veracity client secrets, API keys, and service account credentials out of AI prompts and source code so they are never sent to an LLM provider or committed to version control.

An AI agent (a program such as Cursor, GitHub Copilot, or Claude Code that uses an LLM to read your code, run commands, and call APIs) reads files in your workspace to build context. If credentials exist anywhere in that workspace, the agent can include them in the prompts it sends to the LLM. Those prompts are often logged by the LLM provider.

Before you start

You need:

  • A Veracity developer account with at least one registered application or service account
  • Access to the Veracity developer portal
  • A .gitignore file in your repository root

Prevent credential exposure

  1. Store all Veracity credentials as environment variables, not as literals in source files.

    # .env (never commit this file)
VERACITY_CLIENT_ID=your-client-id
VERACITY_CLIENT_SECRET=your-client-secret

  2. Add credential files to .gitignore before you open the project in an AI agent.

    .env
.env.local
.env.*.local

  3. Configure your agent to exclude credential files from its workspace context. In Cursor, add the file paths to .cursorignore. In GitHub Copilot, check your IDE's content exclusion settings. Refer to your per-agent setup guide for the exact path.

  4. Reference credentials by environment variable name in any code you ask the agent to generate. When asking the agent to write authentication code, instruct it explicitly: "Use process.env.VERACITY_CLIENT_SECRET: do not inline the value."

  5. Store production credentials in a secret manager such as Azure Key Vault. Do not load production credentials into your local development environment when working with AI agents.

  6. Apply minimal permission scopes to every service account. An agent that can read your source code should not have access to credentials that carry write or admin permissions.

Verify your setup

Confirm that credentials are not leaking before you commit or share your work:

  • Search your repository for your client ID value: if it appears anywhere in source files, move it to an environment variable and rotate it immediately.
  • Review the agent's recent chat history for any message that contains your client secret, API key, or bearer token. Most AI coding tools display conversation history in the IDE.
  • Confirm that .env and related files appear in .gitignore output: run git check-ignore -v .env and verify the file is listed.

If credentials are exposed

Act immediately. The window between exposure and misuse is short.

  1. Sign in to the Veracity developer portal and revoke the exposed credentials.
  2. Generate replacement credentials and update all services that use them.
  3. Review your application's API access logs for any calls made after the exposure timestamp.
  4. Check the LLM provider's data retention and audit log policies to understand whether the prompt containing the credential was stored.

Do not rotate credentials before revoking the old ones. A live secret that is rotated but not revoked remains valid until the old value expires.

Limitations

  • Some IDE extensions index all files in your workspace, including hidden files and directories. Check your agent's documentation for workspace exclusion settings.
  • Chat history may be retained by the LLM provider under their data processing terms. Review those terms before sharing any context that could contain sensitive values.
  • Environment variables set in a terminal session are visible to other processes running in the same session. Use a secrets manager for credentials with elevated permissions.