Provider credentials

• Export variables in your current shell session.
• .env and .env.local files in your current project directory.

• Already-exported shell variables are kept as-is.
• For variables not already exported, .env.local overrides .env.

export OPENAI_API_KEY="your-openai-api-key"
export AZURE_OPENAI_BASE_URL="https://<resource>.openai.azure.com/openai/v1"
export AZURE_OPENAI_API_KEY="your-azure-openai-api-key"

​

LLM providers

​

OpenAI

export OPENAI_API_KEY="your-openai-api-key"

​

Azure OpenAI

# Example: https://<resource>.openai.azure.com/openai/v1
export AZURE_OPENAI_BASE_URL="https://<resource>.openai.azure.com/openai/v1"
export AZURE_OPENAI_API_KEY="your-azure-openai-api-key"

​

Gemini

export GEMINI_BASE_URL="https://generativelanguage.googleapis.com/v1beta/openai"
export GEMINI_API_KEY="your-gemini-api-key"

​

Anthropic

export ANTHROPIC_BASE_URL="https://api.anthropic.com/v1"
export ANTHROPIC_API_KEY="your-anthropic-api-key"

​

AWS Bedrock

export AWS_REGION="us-east-1"
export AWS_ACCESS_KEY_ID="your-access-key-id"
export AWS_SECRET_ACCESS_KEY="your-secret-access-key"
# Optional when using temporary credentials:
export AWS_SESSION_TOKEN="your-session-token"

​

LM Studio

export LM_STUDIO_BASE_URL="http://127.0.0.1:1234/v1"
export LM_STUDIO_API_KEY="lm-studio"

​

Ollama

export OLLAMA_BASE_URL="http://127.0.0.1:11434/v1"
export OLLAMA_API_KEY="ollama"

​

Groq

export GROQ_BASE_URL="https://api.groq.com/openai/v1"
export GROQ_API_KEY="your-groq-api-key"

​

Storage adapters

​

POEditor

export POEDITOR_API_TOKEN="your-poeditor-token"

​

Lilt

export LILT_API_TOKEN="your-lilt-token"

​

Lokalise

export LOKALISE_API_TOKEN="your-lokalise-token"

​

Crowdin

export CROWDIN_API_TOKEN="your-crowdin-token"

​

Smartling

export SMARTLING_USER_SECRET="your-smartling-user-secret"

​

Security guidance

• Prefer environment variables over hardcoded tokens.
• Keep .env and .env.local out of version control.
• Rotate tokens regularly and scope them to least privilege.

​

Credential management standard for local and CI

​

Local development

1. Commit only non-secret config (*Env variable names) to i18n.jsonc.
2. Store real tokens in .env.local (developer machine only).
3. Add .env and .env.local to .gitignore.
4. Use separate dev and production TMS credentials.

​

CI environments

1. Store secrets in your CI secret manager (for example, GitHub Actions Secrets).
2. Inject secrets only into the sync job that needs them.
3. Map CI secrets to environment variables expected by your adapter config.
4. Use environment-scoped secrets and branch protections for production sync.

​

Rotation and least privilege

• Rotate tokens on a fixed schedule (for example every 90 days) and on team member offboarding.
• Create dedicated CI service users per TMS workspace or project.
• Restrict each token to the minimum API scopes required for pull/push.
• Validate rotation by running one dry-run sync before deleting the previous credential.

​

Audit-friendly logging policy

• Never print raw secrets to logs, debug output, screenshots, or issue comments.
• Log only credential source names (SMARTLING_USER_SECRET, LOKALISE_API_TOKEN), not values.
• Keep CLI output in machine-readable formats (--output json or --output csv) for audit trails.
• Store CI logs and sync artifacts according to your retention policy.

​

TMS adapter security checklist

• All adapter secrets are provided through environment variables, not inline config.
• CI uses dedicated service credentials (no personal access tokens).
• Credential scopes are limited to required projects and operations.
• Rotation schedule is documented and owned by a team.
• Pipeline logs do not expose token values.
• Scheduled dry-run sync pull and sync push jobs run successfully.
• Manual approval is required before production write sync, if needed.