How do environment variables override API keys in the config file?

MagicTradeBot uses a secure priority-based configuration loading system. When the application starts, it checks for API credentials in a specific order to ensure maximum security and deployment flexibility.

Configuration loading priority

1. Environment variables (highest priority)
2. application.yaml values (fallback only)

If a value exists in an environment variable, it always overrides the corresponding value in application.yaml, even if the YAML file also contains a value.

---

How the override works internally

During startup:

1. MagicTradeBot loads application.yaml
2. The configuration loader checks for known environment variables

3. If an environment variable is found:

   • Its value replaces the YAML value in memory
   • The YAML value is ignored
4. The final merged configuration is used by the trading engine

This override happens before any exchange connection or trading logic begins.

---

Practical example

application.yaml

Exchange:
  APIKEY: "old_key_from_yaml"
  APISECRET: "old_secret_from_yaml"

Environment variables

BINANCE_API_KEY=new_secure_key
BINANCE_API_SECRET=new_secure_secret

Result at runtime

MagicTradeBot will use:

API Key    → new_secure_key
API Secret → new_secure_secret

The YAML values are completely ignored.

---

Why MagicTradeBot enforces this behavior

This design is intentional and provides multiple benefits:

• 🔐 Prevents hardcoded secrets
• 🚀 Supports Docker, VPS, and cloud deployments
• 🔄 Allows key rotation without file edits
• 🧪 Enables different environments (demo / staging / production)
• 🛑 Avoids accidental credential leaks via Git

This approach follows industry best practices used in enterprise-grade systems.

---

What if both are missing?

• Demo mode → Bot runs normally without exchange connectivity
• Live trading mode → Bot stops startup and logs a clear error indicating missing credentials

---

Best practice recommendation

✔ Leave API fields empty in application.yaml ✔ Store all sensitive credentials in environment variables ✔ Use IP whitelisting on the exchange for additional security

---

Summary

• Environment variables always take precedence over application.yaml
• Overrides happen automatically at startup
• No manual switching or flags required
• This behavior ensures secure, flexible, and production-ready deployments

📎 Related Topics

• Where should I store exchange API keys for maximum security?
• Should I whitelist my server IP for exchange API keys?
• What API permissions are required for MagicTradeBot to work?
• Why should withdrawal permissions never be enabled for bot API keys?
• Can MagicTradeBot work without storing API keys in application.yaml?