Secrets in Config
Committing real secrets into flowlayer.jsonc is a security failure, not a convenience.
Why it is risky
- config files are often shared in repositories
- shell history and screen recordings leak values
- copied configs spread quickly across machines
Better approach
- keep
flowlayer.jsoncvalues environment-specific and non-sensitive - inject sensitive values through environment variables where possible
- use per-environment secret management outside FlowLayer config
- rotate credentials if they were ever committed
Session token note
session.token is session-level access control for dev runtime API.
It is still sensitive enough to avoid broad sharing and should not be treated as a public demo string.
See Session Token and Remote Access.