Pipe API keys in from environment variables or a secret manager via filters — credentials never have to be stored in the WordPress database.
How it works
ClassifAI exposes a classifai_provider_credentials filter (and provider-specific variants) that fires immediately before any outbound API request. Returning a credentials array from the filter overrides whatever is currently stored in the database for that provider, which lets administrators source secrets at request time from environment variables, AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, or any custom secret store — without ever pasting the secret into a WordPress settings page.
Filtered credentials are not persisted to the database and are scoped to the current request, which means a leaked database backup contains no usable API keys.
Provider coverage
The filter pattern is supported across the full provider matrix:
- OpenAI
- Azure OpenAI, Azure AI Vision, Azure AI Speech
- Google Gemini
- IBM Watson
- Amazon Polly
- ElevenLabs
- xAI Grok
- Together AI
- Locally hosted backends (Ollama, Stable Diffusion via AUTOMATIC1111)
Performance note
The official documentation recommends caching the secret-store lookup so that high-traffic features (Smart 404, Recommended Content) do not turn into a denial-of-service against the secret manager. A simple in-memory cache keyed by feature is usually enough.
Use cases
- Enterprise WordPress hosts where database-stored secrets are explicitly disallowed.
- Multi-environment deployments where staging and production should use different credentials without database divergence.
- Compliance regimes that require credentials to live exclusively in a centrally managed secret store.