Files
openclaw/docs/reference/secret-placeholder-conventions.md
Peter Steinberger f7d7148cf0 docs: rewrite published docs grounded in current source (#100142)
Source-grounded rewrite of 529 published docs pages with per-unit information-loss verification: 1,713 factual corrections cited to src/**, generated surfaces regenerated, frontmatter titles preserved for i18n, release notes pages untouched. All docs gates green.

Closes #100141
2026-07-05 00:32:47 -04:00

1.0 KiB

summary, read_when, title
summary read_when title
Secret-scanner-safe placeholder conventions for docs and examples
Writing docs that include tokens, API keys, or credential snippets
Updating examples that may be scanned by secret-detection tooling
Secret Placeholder Conventions

Secret placeholder conventions

Use placeholders that are human-readable but do not resemble real secrets.

  • Prefer descriptive values like example-openai-key-not-real or example-discord-bot-token.
  • For shell snippets, prefer ${OPENAI_API_KEY} over inline token-like strings.
  • Keep examples obviously fake and scoped to purpose (provider, channel, auth type).

Avoid these patterns in docs

  • Literal PEM private-key header or footer text.
  • Prefixes that resemble live credentials, e.g. sk-..., xoxb-..., AKIA....
  • Realistic-looking bearer tokens copied from runtime logs.

Example

# Good
export OPENAI_API_KEY="example-openai-key-not-real"

# Better (when the doc is about env wiring)
export OPENAI_API_KEY="${OPENAI_API_KEY}"