[wp-trac] [WordPress Trac] #64960: Connectors: Allow custom env var and constant names for API key source detection
WordPress Trac
noreply at wordpress.org
Thu Mar 26 16:31:50 UTC 2026
#64960: Connectors: Allow custom env var and constant names for API key source
detection
------------------------------+--------------------
Reporter: jorgefilipecosta | Owner: (none)
Type: defect (bug) | Status: new
Priority: high | Milestone: 7.0
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
------------------------------+--------------------
`_wp_connectors_get_api_key_source()` determines where a connector's API
key is stored by checking, in order: environment variable, PHP constant,
and database option.
The environment variable and constant names are derived automatically from
the connector ID using the convention `{UPPER_ID}_API_KEY` (e.g., `openai`
→ `OPENAI_API_KEY`). This works well for connectors that follow this
pattern, but some connectors use established constants or environment
variables with different names. There is currently no way for a connector
to specify which constant or environment variable holds its API key.
=== Steps to Reproduce ===
1. Register a connector whose API key is stored in a PHP constant with a
non-standard name:
{{{#!php
$registry->register( 'my-service', array(
'name' => 'My Service',
'type' => 'ai_provider',
'authentication' => array(
'method' => 'api_key',
'setting_name' => 'my_service_api_key',
),
) );
}}}
2. Define the constant in `wp-config.php`:
{{{#!php
define( 'MY_SERVICE_KEY', 'sk-test-123' );
}}}
3. Check the connector's `keySource` on the Connectors settings page.
=== Expected Results ===
`keySource` is `'constant'` because the key is defined via a PHP constant.
=== Actual Results ===
`keySource` is `'none'` because the function only checks for
`MY_SERVICE_API_KEY` (derived from the connector ID), not
`MY_SERVICE_KEY`.
=== Proposed Fix ===
Add two optional fields to the connector authentication config —
`constant_name` and `env_var_name` — so connectors can specify which
constant and/or environment variable holds their API key. When provided,
these override the default derived name. When omitted, the existing
behavior is preserved.
Registry changes (`class-wp-connector-registry.php`):
{{{#!diff
if ( 'api_key' === $args['authentication']['method'] ) {
// ... existing credentials_url and setting_name handling ...
+ if ( ! empty( $args['authentication']['constant_name'] ) &&
is_string( $args['authentication']['constant_name'] ) ) {
+ $connector['authentication']['constant_name'] =
$args['authentication']['constant_name'];
+ }
+ if ( ! empty( $args['authentication']['env_var_name'] ) && is_string(
$args['authentication']['env_var_name'] ) ) {
+ $connector['authentication']['env_var_name'] =
$args['authentication']['env_var_name'];
+ }
}
}}}
Key source detection (`connectors.php`):
{{{#!diff
-function _wp_connectors_get_api_key_source( string $provider_id, string
$setting_name ): string {
- $constant_case_id = strtoupper( ... );
- $env_var_name = "{$constant_case_id}_API_KEY";
+function _wp_connectors_get_api_key_source( string $connector_id, string
$setting_name, string $env_var_override = '', string $constant_override =
'' ): string {
+ $constant_case_id = strtoupper( ... );
+ $default_name = "{$constant_case_id}_API_KEY";
+
+ $env_var_name = '' !== $env_var_override ? $env_var_override :
$default_name;
+ $constant_name = '' !== $constant_override ? $constant_override :
$default_name;
}}}
This is fully backwards-compatible: connectors that do not provide custom
names continue to use the auto-generated `{UPPER_ID}_API_KEY` convention.
All existing call sites pass the new fields from the connector config
using null coalescing defaults.
PR: https://github.com/WordPress/wordpress-develop/pull/11363
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64960>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list