ANTIGRAVITY LABJP
Articles/Agents & Manager
Agents & Manager/2026-07-13Intermediate

Passing API Keys to Agents Safely: Runtime Env Injection and Log Redaction

How to hand secrets to an Antigravity agent without leaving them in your repo or your logs, using runtime environment injection and output masking.

Antigravity326Security9Agents19Secret ManagementEnvironment Variables

Premium Article

I was reviewing the logs from an overnight run the next morning when one line of standard output caught my eye. A deploy token was sitting there in the log file, in plain text. The agent had done nothing wrong. I had handed the secret to it the wrong way.

Secret incidents rarely start with something being stolen. They start with something being written down by accident. Committed to the repo. Printed to a log. Slipped into the agent's context and sent off to an external model along with everything else. As an indie developer running my own apps, I had treated the mechanics of injection lightly right up until that morning. Below is the setup I now run in production to close those three leak paths when passing keys to an Antigravity agent.

Where leaks actually happen

Separating the paths first makes it much harder to double up on some defenses while missing others. Here are the three I have either hit or nearly hit.

Leak pathTypical causeDefense in this setup
RepositoryCommitting .env, hardcoding a real key in an examplegitignore + runtime injection
Logs / stdoutAgent echoes a command result verbatimMasking filter
Agent contextLoading a file with a key, which is then sent to the modelExcluding it from what's read

Each needs its own defense. gitignore does nothing for logs, and masking does nothing for the repository. Let's take them in order.

1. A launch wrapper that injects only at execution time

Stop keeping secrets "written to a file and left there," and switch to "loaded into an environment variable only when you run." The store can be your OS keychain or a tightly permissioned .secrets.env. The point is that the value reaches the agent process and nothing else, leaving no trace in shell history or the repo.

This wrapper reads a gitignored secret file, exports only the keys it needs, and launches the agent. Reading them into an allow list rather than exporting everything keeps the injected surface within what you actually understand.

#!/usr/bin/env bash
# run-agent.sh — inject secrets only at runtime, then launch the agent
set -euo pipefail
 
SECRETS_FILE="${HOME}/.config/antigravity/.secrets.env"
 
# Permission check: refuse unless only the owner can read it
if [ "$(stat -c '%a' "$SECRETS_FILE")" != "600" ]; then
  echo "Refused: set permissions on $SECRETS_FILE to 600" >&2
  exit 1
fi
 
# Pull only the keys named in the allow list (don't pass the whole env)
ALLOWED="DEPLOY_TOKEN API_KEY DB_URL"
 
env_args=()
while IFS='=' read -r key value; do
  [[ "$key" =~ ^#.*$ || -z "$key" ]] && continue
  for a in $ALLOWED; do
    if [ "$key" = "$a" ]; then
      env_args+=("$key=$value")
    fi
  done
done < "$SECRETS_FILE"
 
# Grant temporarily via env; nothing persists in the calling shell
exec env "${env_args[@]}" antigravity agent run "$@"

The allow list is the crux. If you pass every variable in the secret file unconditionally, keys that quietly accumulated over time flow along with everything else. Naming exactly which keys a run needs keeps the injected information within the boundary of your own understanding. I recommend keeping a separate allow list per run type.

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
A Bash launch wrapper that injects secrets as environment variables only at execution time
A Node masking filter that redacts GitHub and Google API key shapes from output and logs
Two scan gates, pre-commit and pre-run, that catch leaks before they land
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Antigravity Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

Agents & Manager2026-07-10
Tracing Why an Agent Wrote That Line Six Months Ago — Commit Granularity and Provenance Trailers
When an agent packs 14 files and 800 lines into a single commit, git blame tells you nothing six months later. Here is how I split commits at intent boundaries, recorded provenance as machine-readable Git trailers, and built a one-command path from a blamed line back to the design decision behind it.
Agents & Manager2026-07-10
When Your Agent's Files Vanish Into .gitignore — A Pre-Commit Detection Gate
When an agent writes files that match .gitignore, the diff review looks perfect but nothing lands in the commit. Here is a gate script that catches ignored build output before you push, plus the tuning it needs.
Agents & Manager2026-06-29
When Your Antigravity Agent Opens a PR That Just Says "Update files" — and a Gate That Forces a Reviewable Summary
Pull requests opened automatically by an Antigravity agent tend to carry empty descriptions like "Update files." Here is a validation gate, with working code, that estimates risk from the diff and rejects vacuous descriptions so a human can actually review them.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →