Capture any API key directly to .env
The universal pattern. Stripe, Supabase, OpenAI, Anthropic, AWS, SendGrid, Twilio, Resend, Vercel — every SaaS dashboard hides keys behind a Reveal button, often only once, often auto-hiding after a few seconds. The agent reveals, captures, writes. Done.
.env by hand is the most-repeated tedious task in modern app development. Get a Stripe key, paste. Get a Supabase service-role key, paste. Get OpenAI, Anthropic, AWS, SendGrid, Twilio. Each one is 30 seconds of switching windows, revealing, copying, finding the right line in .env, pasting. Across a typical SaaS setup, you do this 5–15 times. write_to_env collapses it to a single tool call per key.
The four-tool dance
1. Open the keys page
open_page("https://dashboard.stripe.com/apikeys")
// or supabase.com/dashboard/project/abc/settings/api
// or platform.openai.com/api-keys
// or console.anthropic.com/settings/keys
// or aws/iam/users/security_credentials2. Reveal the key with verification
click_element("Reveal test key", until_text_contains="sk_test_")The until_text_contains clause verifies the reveal actually happened — if it silently failed, click_element returns success=false instead of moving on with stale state.
3. Capture the revealed value
const found = find_text("sk_test_", max=1)
const key = found[0].matchedText
// e.g. "sk_test_51AbCdEf...XyZ"find_text returns the surrounding context and the exact matched text. Most dashboards auto-revert reveal after 30–60 seconds, so this needs to happen quickly — well within Chromeflow's per-call latency.
4. Write to .env
write_to_env(
"STRIPE_SECRET_KEY",
key,
"/Users/you/myapp/.env"
)write_to_env handles: file lock, append-vs-replace (if STRIPE_SECRET_KEY already exists in .env, it's updated in place), quoting (double-quoted if the value contains a space), and a final read-back to confirm the line landed correctly.
Works the same across every SaaS
The pattern is identical regardless of provider. Only the URL, reveal-button label, and key-prefix change. A representative sample:
| Service | Dashboard URL | Key prefix | Env var convention |
|---|---|---|---|
| Stripe | dashboard.stripe.com/apikeys | sk_test_ / sk_live_ | STRIPE_SECRET_KEY |
| Supabase | supabase.com/dashboard/project/.../settings/api | eyJ (JWT) | SUPABASE_SERVICE_ROLE_KEY |
| OpenAI | platform.openai.com/api-keys | sk- | OPENAI_API_KEY |
| Anthropic | console.anthropic.com/settings/keys | sk-ant- | ANTHROPIC_API_KEY |
| AWS IAM | console.aws.amazon.com/iam | AKIA | AWS_ACCESS_KEY_ID |
| SendGrid | app.sendgrid.com/settings/api_keys | SG. | SENDGRID_API_KEY |
| Twilio | console.twilio.com/.../api-keys | SK | TWILIO_API_KEY |
| Vercel | vercel.com/account/tokens | opaque hex | VERCEL_TOKEN |
| Resend | resend.com/api-keys | re_ | RESEND_API_KEY |
The "you" path vs the agent path
You by hand: Switch to browser. Navigate to dashboard. Sign in if needed. Find API keys section. Click reveal. Click copy. Switch to terminal. Find the right project. Open .env. Find the right line or create a new one. Paste. Save. Switch back. Repeat for the next key. ~60–90 seconds per key, plus the context-switch tax.
Agent with Chromeflow: Single tool call sequence shown above. ~3 seconds of wall-clock. Your active engagement: zero (unless 2FA prompts, in which case ~10 seconds).
Security notes
- The agent's LLM sees the key in its tool-call response. If you're using a remote LLM (Claude, GPT-4, etc.), the key passes through the API provider's logs per their policy. Worth considering for production keys; less of a concern for test/sandbox keys.
- Chromeflow itself collects nothing. The extension talks only to a local WebSocket on 127.0.0.1.
.envstays local. Make sure it's in.gitignorebefore committing.- For production secrets, prefer a real secret manager (Vercel Env, Doppler, 1Password CLI, AWS Secrets Manager). Use
write_to_envfor development setup.