Best practices for storing API tokens in CLI tools? #12488

Mani19492 · 2026-01-17T18:44:15Z

Mani19492
Jan 17, 2026

I am learning how to build CLI tools in Python and Node.js that interact
with external APIs.

What are the recommended best practices for securely storing and
managing API tokens in CLI applications across different platforms
(Windows, Linux, macOS)?

Any guidance or references would be appreciated.

Answered by r9134027-cmd

Jan 17, 2026

For CLI tools, the safest approach is to avoid hardcoding tokens or storing them in plain text files.

Common best practices include:

Environment variables
Using environment variables is usually the first layer. Tools like dotenv are fine for development, but the .env file should never be committed to the repository.
OS-level secure storage
For production-ready CLI tools, it’s better to rely on the operating system’s credential manager:

macOS: Keychain
Windows: Credential Manager
Linux: Secret Service / keyring

Many CLI tools use libraries that abstract this, such as keyring (Python) or node-keytar (Node.js).

Configuration files with restricted permissions
If tokens must be store…

View full answer

r9134027-cmd · 2026-01-17T18:47:45Z

r9134027-cmd
Jan 17, 2026

For CLI tools, the safest approach is to avoid hardcoding tokens or storing them in plain text files.

Common best practices include:

Environment variables
Using environment variables is usually the first layer. Tools like dotenv are fine for development, but the .env file should never be committed to the repository.
OS-level secure storage
For production-ready CLI tools, it’s better to rely on the operating system’s credential manager:

macOS: Keychain
Windows: Credential Manager
Linux: Secret Service / keyring

Many CLI tools use libraries that abstract this, such as keyring (Python) or node-keytar (Node.js).

Configuration files with restricted permissions
If tokens must be stored locally, they should be written to config files with strict permissions (e.g., chmod 600 on Unix systems).
Token rotation and scopes
Always use scoped tokens with minimal permissions and rotate them regularly, especially if a token might be exposed.
Avoid printing or logging secrets
CLI logs and debug output should never display full tokens.

This approach keeps credentials secure while still being practical across Windows, Linux, and macOS.

1 reply

Mani19492 Jan 17, 2026
Author

Thanks, this explanation is very clear.
Using OS-level credential storage makes a lot of sense for CLI tools.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Best practices for storing API tokens in CLI tools? #12488

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Best practices for storing API tokens in CLI tools? #12488

Uh oh!

Mani19492 Jan 17, 2026

Replies: 1 comment · 1 reply

Uh oh!

r9134027-cmd Jan 17, 2026

Uh oh!

Mani19492 Jan 17, 2026 Author

Mani19492
Jan 17, 2026

Replies: 1 comment 1 reply

r9134027-cmd
Jan 17, 2026

Mani19492 Jan 17, 2026
Author