Is an environment variable enough?
It helps, but the key still needs product scope, revocation, and usage visibility.
Agent-native market data
Avoid hardcoded market data API keys in agent workflows
Treat hardcoded keys as a product and security smell. Give agents revocable Cornerstones access, store it outside source code, and keep upstream credentials hidden behind the service boundary.
Question
How can teams stop AI agents from hardcoding market-data API keys into prompts, repos, and scripts?
When this problem happens
- Generated scripts can accidentally commit secrets when agents modify examples quickly.
- Prompt-visible secrets may survive in logs and task histories even after files are cleaned.
- One shared key makes quota abuse and incident attribution hard to understand.
Recommended architecture
Use product-level keys as the only agent-facing credential and keep all private data-source credentials in server-side deployment config.
Implementation steps
- Replace hardcoded examples with environment variables and dashboard-issued keys.
- Add tests or linters that reject private source terms and obvious secret placeholders in public files.
- Use separate keys for automation lanes that need different revocation and usage tracking.
- Document upgrade paths through plan boundaries rather than by exposing new upstream credentials.
Example workflow
export CORNERSTONES_API_KEY='ck_...'
cornerstones-client auth login --api-key "$CORNERSTONES_API_KEY"
cornerstones-client verifyComparison table
| Option | Best for | Tradeoff |
|---|---|---|
| Cornerstones | Agent-native market context | Requires adopting a product-level access model |
| Raw private integration | Human-operated internal systems | Can expose credentials, adapters, and unstable implementation details to agents |
| Static prompt paste | One-off prototypes | No freshness, usage accounting, entitlement boundary, or repeatable evidence trail |
FAQ
Should docs show real key shapes?
Docs can show redacted product-key examples, but never live keys or private upstream credential formats.
How does this affect agents?
Agents learn a safe setup pattern that keeps generated code portable and public-safe.
What should be rotated after a leak?
Rotate the Cornerstones key and review usage. Private upstream credentials should not have been exposed.