Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.quanux.org/llms.txt

Use this file to discover all available pages before exploring further.

QuanuX never stores credentials in .env files or configuration files on disk. Every API key, password, and token you configure is written exclusively to your operating system’s native credential store (the OS Keyring), where it is encrypted at rest and isolated from other applications. The interactive setup wizard and the quanuxctl CLI both read and write through this same secure backend.

Initial setup

Run the interactive wizard to configure all of your secrets in one pass. The wizard walks you through every known integration and prompts you only for the keys you haven’t already set. 
python -m server.cli.setup_secrets
This is the recommended starting point for a fresh installation. You can run it again at any time to update or fill in missing credentials — values you’ve already stored are not overwritten unless you explicitly provide a new value.

Setting secrets with quanuxctl

You can set or update any individual secret without running the full wizard. The general pattern is: 
quanuxctl <integration> <field> "<value>"
All values you pass to quanuxctl are written directly to the OS Keyring. They are never logged, echoed to the terminal, or persisted in shell history files — do not wrap them in environment variables that might be captured by process monitors.

TopstepX

quanuxctl topstepx apikey "YOUR_TOPSTEPX_API_KEY"
quanuxctl topstepx user "YOUR_TOPSTEPX_USERNAME"
The TopstepX integration authenticates against the TopstepX GraphQL/WebSocket API. You need both the API key and your account username.

Rithmic

Rithmic credentials apply to any brokerage or prop firm that connects via the Rithmic network — including Apex Trader Funding, Ironbeam, AMP Futures, Discount Trading, Elite Trader Funding, Take Profit Trader, and others. 
quanuxctl rithmic user "YOUR_RITHMIC_USERNAME"
quanuxctl rithmic pass "YOUR_RITHMIC_PASSWORD"
quanuxctl rithmic system "RITHMIC_SYSTEM_NAME"
quanuxctl rithmic url "wss://your-rithmic-endpoint"
The four keys stored are:
KeyDescription
QUANUX_RITHMIC_USERYour Rithmic account username
QUANUX_RITHMIC_PASSYour Rithmic account password
QUANUX_RITHMIC_SYSTEMThe Rithmic system name (provided by your broker)
QUANUX_RITHMIC_URLThe WebSocket endpoint URL for your Rithmic connection

Interactive Brokers (IBKR)

The IBKR extension connects to a running instance of Trader Workstation (TWS) or IB Gateway on your local machine or network. There is no password to store — TWS handles its own authentication. You only need to tell QuanuX where to reach it. 
quanuxctl ibkr host "localhost"
quanuxctl ibkr port "7497"
QUANUX_IBKR_PORT is 7497 for paper trading in TWS and 7496 for live trading. IB Gateway uses 4002 (paper) and 4001 (live). Check your TWS API settings to confirm which port is active.

Tradovate

quanuxctl tradovate key "YOUR_TRADOVATE_API_KEY"
The key is stored as QUANUX_TRADOVATE_KEY. You can also set the trading environment: 
quanuxctl tradovate env "Demo"   # or "Live"

Retrieving secrets in scripts

Use quanuxctl secrets get to read a stored value back out of the keyring — for example, to inject it into a shell script or export it as an environment variable for an extension process. 
quanuxctl secrets get QUANUX_RITHMIC_USER
This prints the raw value to stdout, making it easy to compose with other commands: 
export RITHMIC_USER=$(quanuxctl secrets get QUANUX_RITHMIC_USER)
Be careful with shell history. If your terminal logs commands that include secret values inline, use quanuxctl secrets get to load them at runtime rather than hard-coding values in scripts.

Bridge keys for extensions

QuanuX Extensions (QXP) — the sidecar processes for Rithmic, IBKR, Sierra Chart, Tradovate, and others — authenticate to the QuanuX core using a bridge key. This key is separate from your broker credentials and is generated inside QuanuX itself. To generate a bridge key:
  1. Open the QuanuX web or desktop app.
  2. Go to Settings → QuanuX Extensions.
  3. Click Generate Key.
The generated key is stored in the keyring under a name like QUANUX_<NAME>_KEY (for example, QUANUX_RITHMIC_KEY or QUANUX_SIERRA_BRIDGE_KEY). Extensions retrieve it at startup via quanuxctl secrets get. See Configure and run QuanuX extensions for the full extension startup workflow.

Security checklist

The .env.example file in the repository contains placeholder values only. Never copy real credentials into .env or any file tracked by git. The OS Keyring is the only sanctioned storage location for secrets.
The QuanuX web app displays the set/unset status of every known integration key under Settings → Secrets. Values are never shown — only whether a key has been populated.
Run quanuxctl <integration> <field> "<new-value>" at any time to overwrite an existing secret. The new value takes effect on the next connection attempt — no server restart is required for extensions, but you may need to restart an active broker connection.
On headless Linux servers without a desktop keyring daemon, QuanuX falls back to an encrypted secrets backend. Ensure your server has a supported keyring backend (such as gnome-keyring with a pam session, or HashiCorp Vault) before running the setup wizard in a headless server context.