Credentials¶
Where credentials are stored (NOT the actual credentials).
Security Notice
This page documents WHERE credentials are stored, not the credentials themselves. Never commit actual API keys or passwords to git.
Credential Locations¶
| Service | Location | Notes |
|---|---|---|
| Alpaca API | .env in repo root |
Paper + Live keys |
| Schwab OAuth | ~/.schwab_tokens.json |
Expires every 7 days |
.env File¶
Location: /Users/bertfrichot/Development/bert-trading-personal/.env
Contains:
- ALPACA_PAPER_API_KEY
- ALPACA_PAPER_SECRET_KEY
- ALPACA_REAL_API_KEY
- ALPACA_REAL_SECRET_KEY
Security:
- .env is in .gitignore
- Never commit to git
Schwab Tokens¶
Location: ~/.schwab_tokens.json
Refresh:
Expiry: 7 days
Rotation Schedule¶
| Credential | Rotation | Last Rotated |
|---|---|---|
| Alpaca API Keys | As needed | |
| Schwab Tokens | Every 7 days (auto) |
Emergency: Credential Leak¶
If credentials are accidentally exposed:
- Alpaca: Regenerate keys in Alpaca dashboard immediately
- Schwab: Revoke OAuth access in Schwab account settings
- Update
.envwith new credentials - Check for unauthorized transactions
Last Updated: January 2026