Environment Setup

This page covers how to manage the credentials and configuration that EnergyAS integrations depend on: private keys, RPC endpoints, and subgraph API keys.

Required Credentials

Local Development

Create a .env file in your project root:

# Operator wallet — manages organizations, projects, and attester lists
PRIVATE_KEY=0x...

# IoT device wallet — submits readings only
DEVICE_PRIVATE_KEY=0x...

# The Graph API key — get one free at thegraph.com/studio → API Keys
THEGRAPH_API_KEY=...

# Optional: custom RPC endpoint (defaults to public RPCs if omitted)
# RPC_URL=https://...

Load it with dotenv:

import 'dotenv/config';

const sdk = await EnergySDK.fromPrivateKey({
  network: 'amoy',
  privateKey: process.env.PRIVATE_KEY,
});

Always add .env to .gitignore — never commit private keys.

echo ".env" >> .gitignore

Wallet Separation

Use at least two wallets:

This limits blast radius: if a device key is compromised, an attacker can only submit (potentially incorrect) readings for the authorized projects — they cannot modify the organization structure or drain funds beyond gas. Rotate compromised device keys by calling removeAttester + addAttester from the operator wallet.

CI/CD Pipelines

Store credentials as environment secrets in your CI provider (GitHub Actions, GitLab CI, etc.) — never hardcode them in scripts or commit them to version control.

GitHub Actions

# .github/workflows/submit-readings.yml
env:
  PRIVATE_KEY: ${{ secrets.DEVICE_PRIVATE_KEY }}
  THEGRAPH_API_KEY: ${{ secrets.THEGRAPH_API_KEY }}

Set the secrets in Settings → Secrets and variables → Actions in your GitHub repository.

GitLab CI

# .gitlab-ci.yml
variables:
  PRIVATE_KEY: $DEVICE_PRIVATE_KEY      # set in Settings → CI/CD → Variables
  THEGRAPH_API_KEY: $THEGRAPH_API_KEY

Mark variables as Masked so they don't appear in logs, and Protected if you only want them available on protected branches.

Docker / Container Deployments

Pass secrets as environment variables at runtime — never bake them into images:

docker run \
  -e PRIVATE_KEY="$DEVICE_PRIVATE_KEY" \
  -e THEGRAPH_API_KEY="$THEGRAPH_API_KEY" \
  your-image:latest

With Docker Compose, use an .env file on the host:

# docker-compose.yml
services:
  reporter:
    image: your-image:latest
    env_file: .env

For production deployments, prefer a secrets manager (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager) over plain .env files on disk.

The Graph API Key

Your The Graph API key is a shared credential for reading subgraph data — it is not a secret in the same sense as a private key (it cannot authorize transactions), but it is rate-limited to your account, so treat it accordingly:

• Don't commit it to public repositories
• In frontend apps, either proxy subgraph requests through your backend (so the key never reaches the browser) or use a backend-for-frontend pattern
• The EnergyAS landing page demonstrates nginx-based proxying: the API key is injected server-side and never exposed in the JavaScript bundle

RPC Endpoints

The SDK uses free public RPC endpoints by default:

These are fine for development but may be rate-limited under sustained load. For production workloads, use a dedicated RPC provider (Alchemy, QuickNode, Infura, Ankr, etc.) and pass the URL via rpcUrl:

const sdk = await EnergySDK.fromPrivateKey({
  network: 'polygon',
  privateKey: process.env.PRIVATE_KEY,
  rpcUrl: process.env.RPC_URL,
});

Network Selection

Select the right network for your stage:

Never mix testnet and mainnet keys in the same script — always derive the network from a single environment variable:

const network = process.env.NETWORK ?? 'amoy';  // 'polygon' | 'celo' | 'amoy'

const sdk = await EnergySDK.fromPrivateKey({
  network,
  privateKey: process.env.PRIVATE_KEY,
});