> ## Documentation Index
> Fetch the complete documentation index at: https://docs.quanux.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Managing API keys and secrets in QuanuX

> QuanuX stores all broker credentials in the OS Keyring, never in plain-text files. Learn to set, retrieve, and rotate secrets for every supported integration.

QuanuX never stores credentials in `.env` files or configuration files on disk. Every API key, password, and token you configure is written exclusively to your operating system's native credential store (the OS Keyring), where it is encrypted at rest and isolated from other applications. The interactive setup wizard and the `quanuxctl` CLI both read and write through this same secure backend.

## Initial setup

Run the interactive wizard to configure all of your secrets in one pass. The wizard walks you through every known integration and prompts you only for the keys you haven't already set.

```bash theme={null}
python -m server.cli.setup_secrets
```

This is the recommended starting point for a fresh installation. You can run it again at any time to update or fill in missing credentials — values you've already stored are not overwritten unless you explicitly provide a new value.

## Setting secrets with `quanuxctl`

You can set or update any individual secret without running the full wizard. The general pattern is:

```bash theme={null}
quanuxctl <integration> <field> "<value>"
```

<Note>
  All values you pass to `quanuxctl` are written directly to the OS Keyring. They are never logged, echoed to the terminal, or persisted in shell history files — do not wrap them in environment variables that might be captured by process monitors.
</Note>

### TopstepX

```bash theme={null}
quanuxctl topstepx apikey "YOUR_TOPSTEPX_API_KEY"
quanuxctl topstepx user "YOUR_TOPSTEPX_USERNAME"
```

The TopstepX integration authenticates against the TopstepX GraphQL/WebSocket API. You need both the API key and your account username.

### Rithmic

Rithmic credentials apply to any brokerage or prop firm that connects via the Rithmic network — including Apex Trader Funding, Ironbeam, AMP Futures, Discount Trading, Elite Trader Funding, Take Profit Trader, and others.

```bash theme={null}
quanuxctl rithmic user "YOUR_RITHMIC_USERNAME"
quanuxctl rithmic pass "YOUR_RITHMIC_PASSWORD"
quanuxctl rithmic system "RITHMIC_SYSTEM_NAME"
quanuxctl rithmic url "wss://your-rithmic-endpoint"
```

The four keys stored are:

| Key                     | Description                                            |
| ----------------------- | ------------------------------------------------------ |
| `QUANUX_RITHMIC_USER`   | Your Rithmic account username                          |
| `QUANUX_RITHMIC_PASS`   | Your Rithmic account password                          |
| `QUANUX_RITHMIC_SYSTEM` | The Rithmic system name (provided by your broker)      |
| `QUANUX_RITHMIC_URL`    | The WebSocket endpoint URL for your Rithmic connection |

### Interactive Brokers (IBKR)

The IBKR extension connects to a running instance of Trader Workstation (TWS) or IB Gateway on your local machine or network. There is no password to store — TWS handles its own authentication. You only need to tell QuanuX where to reach it.

```bash theme={null}
quanuxctl ibkr host "localhost"
quanuxctl ibkr port "7497"
```

`QUANUX_IBKR_PORT` is `7497` for paper trading in TWS and `7496` for live trading. IB Gateway uses `4002` (paper) and `4001` (live). Check your TWS API settings to confirm which port is active.

### Tradovate

```bash theme={null}
quanuxctl tradovate key "YOUR_TRADOVATE_API_KEY"
```

The key is stored as `QUANUX_TRADOVATE_KEY`. You can also set the trading environment:

```bash theme={null}
quanuxctl tradovate env "Demo"   # or "Live"
```

## Retrieving secrets in scripts

Use `quanuxctl secrets get` to read a stored value back out of the keyring — for example, to inject it into a shell script or export it as an environment variable for an extension process.

```bash theme={null}
quanuxctl secrets get QUANUX_RITHMIC_USER
```

This prints the raw value to stdout, making it easy to compose with other commands:

```bash theme={null}
export RITHMIC_USER=$(quanuxctl secrets get QUANUX_RITHMIC_USER)
```

<Warning>
  Be careful with shell history. If your terminal logs commands that include secret values inline, use `quanuxctl secrets get` to load them at runtime rather than hard-coding values in scripts.
</Warning>

## Bridge keys for extensions

QuanuX Extensions (QXP) — the sidecar processes for Rithmic, IBKR, Sierra Chart, Tradovate, and others — authenticate to the QuanuX core using a **bridge key**. This key is separate from your broker credentials and is generated inside QuanuX itself.

To generate a bridge key:

1. Open the QuanuX web or desktop app.
2. Go to **Settings → QuanuX Extensions**.
3. Click **Generate Key**.

The generated key is stored in the keyring under a name like `QUANUX_<NAME>_KEY` (for example, `QUANUX_RITHMIC_KEY` or `QUANUX_SIERRA_BRIDGE_KEY`). Extensions retrieve it at startup via `quanuxctl secrets get`.

See [Configure and run QuanuX extensions](/configuration/extensions) for the full extension startup workflow.

## Security checklist

<AccordionGroup>
  <Accordion title="Never commit credentials to git">
    The `.env.example` file in the repository contains placeholder values only. Never copy real credentials into `.env` or any file tracked by git. The OS Keyring is the only sanctioned storage location for secrets.
  </Accordion>

  <Accordion title="Audit which secrets are set">
    The QuanuX web app displays the set/unset status of every known integration key under **Settings → Secrets**. Values are never shown — only whether a key has been populated.
  </Accordion>

  <Accordion title="Rotating a credential">
    Run `quanuxctl <integration> <field> "<new-value>"` at any time to overwrite an existing secret. The new value takes effect on the next connection attempt — no server restart is required for extensions, but you may need to restart an active broker connection.
  </Accordion>

  <Accordion title="Server deployments">
    On headless Linux servers without a desktop keyring daemon, QuanuX falls back to an encrypted secrets backend. Ensure your server has a supported keyring backend (such as `gnome-keyring` with a `pam` session, or HashiCorp Vault) before running the setup wizard in a headless server context.
  </Accordion>
</AccordionGroup>
