JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 30
  • Score
    100M100P100Q105818F
  • License MIT

Elding SDK — access your secrets from code, zero .env

Package Exports

  • @elding/sdk
  • @elding/sdk/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@elding/sdk) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

@elding/sdk

Your API keys are never in your code or in a .env file. Elding keeps them, your code calls the API normally, and the real key is injected at the last moment.

The same code works in dev and in prod. You change nothing.

npm install @elding/sdk

⚠️ Elding warning: always use the scoped name @elding/sdk. npm install elding (without the @elding/ scope) installs an unrelated third-party package, not Elding.

Quickstart (2 min)

1. Sign in and choose your set

npx elding login      # opens the browser, signs you in
npx elding init       # creates .elding.json (links this project to a set)

2. Write your code

configure() replaces your real key. 1st argument = the secret name in Elding, 2nd = the API domain.

import OpenAI from "openai";
import { configure } from "@elding/sdk";

const openai = new OpenAI(
  await configure("OPENAI_API_KEY", "https://api.openai.com")
);

// use openai normally, the real key is never in your code

3. Run

npx elding proxy -- npm run dev

That's it. The key never enters your application.

In production (Vercel, server, CI)

No proxy in prod. Elding fetches the key at runtime. You don't change your code, you just add 2 environment variables:

ELDING_REFRESH_TOKEN=eld_rt_...   # generate it in the dashboard → API keys
ELDING_SET_ID=...                 # your set's id (set page)

And... that's all. The same configure("OPENAI_API_KEY", "https://api.openai.com") works.

The SDK reads these 2 variables automatically. Keep these exact names (ELDING_REFRESH_TOKEN, ELDING_SET_ID) and you have no option to pass.

How to get the 2 keys

Variable Where to find it
ELDING_REFRESH_TOKEN Dashboard → API keys → New key (shown only once)
ELDING_SET_ID Open your set in the dashboard, the id is in the URL

The 2 functions

configure(name, domain) — for any HTTP API key (OpenAI, Mistral, Stripe, Resend…). You pass it directly to the provider's SDK:

const openai = new OpenAI(await configure("OPENAI_API_KEY", "https://api.openai.com"));

secret(name) — for everything else (DATABASE_URL, JWT_SECRET, REDIS_URL…). Returns the raw value, wiped from memory after 5 min.

import { secret } from "@elding/sdk";
const dbUrl = await secret("DATABASE_URL");

Dev vs prod, at a glance

Dev Prod
Command elding proxy -- npm run dev npm run build && npm start
Mechanism local proxy runtime fetch
To configure elding login + elding init ELDING_REFRESH_TOKEN + ELDING_SET_ID
Your code identical identical

Rules

  • Never hardcode a key, never in process.env, never in the URL.
  • A key that goes into an HTTP request → configure(name, "https://…").
  • Any other secret → secret(name).