API Credentials
Comprehensive environment variable status dashboard with passphrase-protected value reveal
API Credentials
The Credentials page shows every environment variable the Arcturus-Prime platform needs to fully function. Variables are grouped by category with status badges showing whether they’re configured, missing, or using defaults.
Located at /admin/credentials. Admin-only.
Features
Summary Stats
Four stat cards at the top:
- Total — Number of tracked environment variables (65)
- Configured — Variables that have a value set (via ENV or KV)
- Missing — Required variables that are not set
- Optional — Non-required variables that are not set
Missing Warning Banner
If any required variables are missing, a red banner appears listing their names. This makes it immediately obvious what needs to be configured.
Source Badges
Each variable shows where its value comes from:
- ENV (blue) — Set in CF Pages environment variables or process.env
- KV (purple) — Stored in Cloudflare Workers KV (via API key management)
- MISSING (red) — Not configured anywhere
- DEFAULT (gray) — Not explicitly set but has a fallback default value
Required/Optional Badges
- REQ (amber) — Variable is required for core functionality
- OPT (gray) — Variable is optional or only needed for specific features
Category Cards
Variables are grouped into 14 collapsible categories:
| Category | Variables | Examples |
|---|---|---|
| Authentication | 8 | ADMIN_EMAILS, CF_ACCESS_AUD, ARGOBOX_SERVICE_TOKEN |
| AI / LLM Providers | 8 | GROQ_API_KEY, OPENROUTER_API_KEY, GEMINI_API_KEY |
| Voice & Phone | 6 | ELEVENLABS_API_KEY, TWILIO_*, BLAND_API_KEY |
| Web Search | 2 | BRAVE_API_KEY, PERPLEXITY_API_KEY |
| 2 | RESEND_API_KEY | |
| Cloudflare | 6 | CF_API_TOKEN, CF_ACCOUNT_ID |
| Git & Content | 4 | GITEA_API_TOKEN, GITEA_API_URL |
| OpenClaw | 4 | OPENCLAW_API_TOKEN |
| AI Workbench | 2 | FORGE_RELAY_URL, FORGE_RELAY_SECRET |
| Argonaut Daemon | 2 | ARGONAUT_DAEMON_URL, ARGONAUT_DAEMON_SECRET |
| Build Swarm | 4 | SWARM_ADMIN_KEY, SWARM_CONTROL_KEY |
| Infrastructure | 6 | MM_ARGOBOX_TOKEN, TITAN_ADMINBOX_TOKEN |
| Pentest Daemons | 6 | PENTEST_API_KEY (Tarn-Host/Izar-Host/Sentinel) |
| Jobs & Misc | 6 | AUTOAPPLY_API_KEY, WARMUP_SECRET |
Each card shows a count of configured vs total variables, and highlights missing required vars.
Passphrase-Protected Reveal
By default, sensitive values are masked (e.g., sk-or-...abc5). To see actual values:
First-Time Setup
If no passphrase has been set, the page shows a setup form. Enter a passphrase (6+ characters) and confirm it. The passphrase is SHA-256 hashed with a salt and stored in Cloudflare Workers KV.
Unlocking
Enter your passphrase in the unlock bar. On success, all values are revealed with copy-to-clipboard buttons. Values auto-lock after 5 minutes (countdown shown).
Rate Limiting
After 5 failed passphrase attempts, the account is locked out for 15 minutes. The lockout state is tracked in KV with a 1-hour TTL.
Auto-Lock
Revealed values automatically re-lock after 5 minutes. A countdown timer is visible in the passphrase bar. You can also manually lock by clicking the lock button.
Security
The page has multiple security layers:
- Cloudflare Access — Route-level authentication
- Admin middleware —
validateAdminchecks JWT and admin email whitelist - Passphrase verification — Additional SHA-256 auth layer for value reveal
- Rate limiting — 5 failures → 15 min lockout
- Auto-lock — Client-side 5-minute expiry
- POST-only reveal — Values never included in GET responses
Environment Variable Testing
The credentials API includes a connectivity test feature that validates whether env vars are set and, where possible, tests live connectivity to the configured services.
How to use
Call the test endpoint from the browser console or any admin context:
POST /api/admin/credentials
{ "action": "test-env" }To test specific categories only:
POST /api/admin/credentials
{ "action": "test-env", "categories": ["openclaw", "cloudflare", "git"] }What it tests
For each variable in the registry, the test reports:
| Status | Meaning |
|---|---|
| ok | Variable is set (and connectivity confirmed where applicable) |
| missing | Required variable is not set |
| skipped | Optional variable is not set |
| error | Variable is set but connectivity test failed |
Connectivity tests by category
In addition to checking whether each var is set, live connectivity tests run for these categories:
| Category | Test | What it does |
|---|---|---|
| OpenClaw | Gateway connectivity | GET /health on OPENCLAW_API_URL with Bearer + CF Access headers |
| Cloudflare | CF API token verify | GET /client/v4/user/tokens/verify on Cloudflare API |
| Git & Content | Gitea API | GET /api/v1/user with token auth — returns authenticated username |
| AI Workbench | Forge Relay | GET /health on FORGE_RELAY_URL with Bearer auth |
| Resend API | GET /domains on Resend API to validate the key |
All connectivity tests have an 8-second timeout. Categories without a connectivity test (AI providers, Voice, Search, etc.) only report whether each variable is set.
Response format
{
"results": [
{
"categoryId": "openclaw",
"categoryName": "OpenClaw",
"tests": [
{ "name": "OPENCLAW_API_TOKEN", "status": "ok", "detail": "Set" },
{ "name": "OPENCLAW_API_URL", "status": "ok", "detail": "Set (default)" },
{ "name": "OPENCLAW_SERVICE_TOKEN_ID", "status": "ok", "detail": "Set" },
{ "name": "OPENCLAW_SERVICE_TOKEN_SECRET", "status": "ok", "detail": "Set" },
{ "name": "Gateway connectivity", "status": "ok", "detail": "200 OK" }
]
}
]
}API
GET /api/admin/credentials
Returns all variables with masked values and summary stats.
{
"categories": [
{
"id": "auth",
"name": "Authentication",
"icon": "fa-shield-halved",
"vars": [
{
"name": "ADMIN_EMAILS",
"description": "Admin email whitelist",
"required": true,
"sensitive": false,
"source": "env",
"masked": "[email protected]"
}
]
}
],
"summary": { "total": 65, "configured": 58, "missing": 3, "optional": 4 },
"passphraseSet": true
}POST /api/admin/credentials
Set passphrase:
{ "action": "set-passphrase", "passphrase": "your-passphrase" }Reveal values:
{ "action": "reveal", "passphrase": "your-passphrase" }Returns the same structure as GET but with value fields included and revealed: true.
Test environment variables:
{ "action": "test-env" }
{ "action": "test-env", "categories": ["openclaw", "cloudflare"] }Returns per-category test results with variable presence and connectivity checks.
Files
| File | Purpose |
|---|---|
src/pages/admin/credentials.astro | Admin UI page |
src/pages/api/admin/credentials.ts | API endpoint with variable registry + env test |
src/config/modules/credentials.ts | Module registration |
Related
- Environment Variables Reference — Full documentation of all env vars
- API Dashboard — API key management and provider status
- Health Monitor — Service health checks