Skip to main content

What Variables Are

Variables are named values that Wolffish stores in config.json under the variables array. They hold API keys, tokens, and secrets that capabilities need at runtime. Configure them in Settings > Variables.

Structure

Each variable has three fields:
FieldTypeDescription
namestringIdentifier used to reference the variable (e.g., OPENAI_API_KEY)
valuestringThe actual secret or value
sensitivebooleanWhen true, the value is masked in the UI
{
  "variables": [
    {
      "name": "OPENAI_API_KEY",
      "value": "sk-proj-abc123...",
      "sensitive": true
    },
    {
      "name": "GITHUB_TOKEN",
      "value": "ghp_xxxxxxxxxxxx",
      "sensitive": true
    },
    {
      "name": "BRAVE_API_KEY",
      "value": "BSA-xxxxxxxxxx",
      "sensitive": true
    },
    {
      "name": "NOTION_TOKEN",
      "value": "ntn_xxxxxxxxxx",
      "sensitive": true
    },
    {
      "name": "DEFAULT_BRANCH",
      "value": "main",
      "sensitive": false
    }
  ]
}

Sensitive Flag

When sensitive is true, the variable’s value is displayed as •••••• in the Settings UI. This is a UI-only convenience — it does not mask or exclude the value from the agent.
Mark any credential, token, or API key as sensitive so it’s hidden in the UI. Non-sensitive variables are for non-secret configuration like branch names, project IDs, or environment labels.

How the Agent Uses Variables

Every variable — including ones marked sensitive — appears in plaintext in the system prompt inside a <variables> block on every turn:
- OPENAI_API_KEY = sk-proj-abc123... (sensitive)
- GITHUB_TOKEN = ghp_xxxxxxxxxxxx (sensitive)
- BRAVE_API_KEY = BSA-xxxxxxxxxx (sensitive)
- DEFAULT_BRANCH = main
The (sensitive) label is a hint to the agent not to echo the value back — it does not hide or redact the actual value. This is by design: Variables are the mechanism for giving the LLM credentials it needs to use directly (e.g. passing an API key as a shell command argument). The agent uses them automatically. If a task needs an API key and a matching variable exists, it uses it without asking.
If you store a secret as a Variable, the LLM sees it in plaintext. This is intentional — the agent needs the value to act on it. Use Variables for credentials the agent needs to reference directly. For credentials that plugins handle themselves (Google OAuth, Notion token, etc.), use the integration-specific settings pages instead — those are never sent to the LLM.
Values are stored in plain text in config.json. Wolffish is local-first and your workspace is yours. If you version-control your workspace, add config.json to .gitignore.

Variables vs Environment Variables

Variables are not system environment variables. They differ in important ways:
Wolffish VariablesSystem Env Vars
ScopeWolffish workspace onlyEntire OS session
PortableYes, travel with the workspaceNo, tied to the machine
Managed bySettings UI or config.jsonShell profile or system settings
Available toThe agent (via system prompt)All processes
If you need a value available to both Wolffish and other tools on your system, set it as both a Wolffish variable and a system env var. They don’t conflict.

Common Variables

VariableUsed By
OPENAI_API_KEYOpenAI provider fallback
GITHUB_TOKENGitHub capability (PRs, issues, repos)
BRAVE_API_KEYWeb search capability
NOTION_TOKENNotion integration
GOOGLE_API_KEYGoogle Workspace integration
TELEGRAM_BOT_TOKENTelegram channel

Adding a Variable

  1. Open Settings > Variables
  2. Click Add Variable
  3. Enter the name, value, and toggle sensitive if needed
  4. Click Save