OpenHuman Guide
OpenHuman Guide

Security Guide

OpenHuman API Key Security — Best Practices for Protecting Your Keys

2026-05-25~6 min read

If you use OpenHuman with cloud API models (OpenAI, DeepSeek, Claude), your API keys are stored in the config file. This guide covers how to protect those keys from unauthorized access.

Where API Keys Are Stored

OpenHuman stores API keys in ~/.openhuman/config.toml by default. This file is readable by anyone with access to your user account.

Best Practices

1. Enable Key Encryption

OpenHuman supports encrypting API keys at rest. Enable it with a master password:

[security] encrypt_api_keys = true master_password = "your-strong-password"

When encryption is enabled, keys are stored as encrypted blobs in config.toml. You'll need to enter the master password when OpenHuman starts.

2. Use Environment Variables

Instead of storing keys in config.toml, use environment variables:

# In your shell profile (.bashrc, .zshrc, etc.) export OPENHUMAN_OPENAI_KEY="sk-..." export OPENHUMAN_DEEPSEEK_KEY="sk-..." export OPENHUMAN_ELEVENLABS_KEY="..."

Then reference them in config.toml:

[models.openai]
api_key = "${OPENHUMAN_OPENAI_KEY}"

3. Use API Key Scope Restrictions

Most providers let you create keys with restricted scopes:

  • OpenAI: Create a project-specific key with only model access
  • DeepSeek: Standard API keys (no additional admin access)
  • Anthropic: Create API keys with limited permissions

4. Rotate Keys Regularly

Set a schedule for rotating API keys:

  • Every 90 days for cloud API keys
  • Immediately if you suspect a breach
  • After sharing your device with someone else

5. Restrict File Permissions

On Unix systems, restrict access to your config:

chmod 600 ~/.openhuman/config.toml chmod 700 ~/.openhuman

What Not to Do

  • ❌ Never commit config.toml to a public repository
  • ❌ Never share API keys in emails or chat messages
  • ❌ Never leave keys in plain text on shared devices
  • ❌ Never use root/admin API keys for personal AI use

Monitoring Usage

Most AI providers offer usage dashboards. Check them regularly for unexpected activity that might indicate a leaked key.