Public Credentials Handling
v3.8.1Last updated: 2026-05-14
Was this page helpful?
Loading OmniRoute...
Source of truth:
Tests:
Last updated: 2026-05-14 — v3.8.0
Audience: Engineers integrating providers that ship public OAuth client_id / client_secret / Firebase Web API keys in their public CLIs.
Status: MANDATORY for all new code that embeds upstream identifiers.
public binaries or web apps. Google explicitly documents that these are not secrets:
still get a working OAuth flow out of the box. Without an embedded fallback, the Gemini / Antigravity / Windsurf providers stop working for any user who follows the "just clone and run" path.
, , are matched by GitHub Secret Scanning, Semgrep, and similar pattern scanners. Every release becomes a noisy stream of false positives, push protection blocks legitimate commits, and operators stop trusting the alert feed.
helper solves both constraints at once:
., , ) and passes them through unchanged, so users with raw values in their existing keep working with zero migration.obfuscation, not encryption. Anyone reading the source can recover the value — which is fine because the value is public by design. The only goal is to avoid scanner regex matches.
, , etc.),
node --import tsx/esm -e \
'import("./open-sse/utils/publicCreds.ts").then(m =>
console.log(JSON.stringify(Array.from(
Buffer.from(m.encodePublicCred("THE_PUBLIC_VALUE"), "base64")
))))'
with a neutral key name (, , , etc.). Do not use names like or in the helper — those words trigger Semgrep generic-secret rules.
// single env override
clientSecret: resolvePublicCred("provider_alt", "PROVIDER_OAUTH_CLIENT_SECRET"),
// multiple env aliases (first non-empty wins)
clientId: resolvePublicCredMulti("provider_id", [
"PROVIDER_CLI_OAUTH_CLIENT_ID",
"PROVIDER_OAUTH_CLIENT_ID",
]),
// no env override (always embedded default)
firebaseApiKey: resolvePublicCred("provider_fb"),
# ── Provider (Google / Firebase / etc.) ── # Public OAuth credentials are baked into the code via # open-sse/utils/publicCreds.ts. Set these vars only to use your own. # PROVIDER_OAUTH_CLIENT_ID= # PROVIDER_OAUTH_CLIENT_SECRET=
/ / literals to test files. Use the constants built from fragments (see existing tests).
/ only — never call directly outside the helper.
-
- , the helper passes that raw value straight through.
Never do any of the following in production code (, , , ):
// BAD: literal value triggers Secret Scanning + Semgrep
clientSecret: process.env.PROVIDER_OAUTH_CLIENT_SECRET || "GOCSPX-realvalue",
// BAD: base64 of the literal — GitHub still detects since Feb/2025
clientSecret: process.env.PROVIDER_OAUTH_CLIENT_SECRET ||
Buffer.from("R09DU1BYLXJlYWx2YWx1ZQ==", "base64").toString(),
// BAD: string concatenation that re-assembles the pattern at runtime
clientSecret: "GO" + "CS" + "PX-" + "realvalue",
// BAD: hex/ROT13 encoding — different obfuscation, same risk of detection
clientSecret: hexDecode("474f4353..."),
.
Never add literal credentials to . Users who need real upstream values can extract them from the public CLI themselves, or use their own OAuth registration.
Never dismiss a new secret-scanning alert without first checking whether the credential should be moved to this helper.
enumerates the prefixes that trigger passthrough (retrocompat). Extend it only for documented public credential formats, never for proprietary secrets.
- lives in CI's
script — when you remove a var here, make sure the docs match.
- and
suites must both stay green.
only for credentials that are:
env vars only (, fallback to empty / explicit error). These belong in and the encrypted credentials store, not in source.