Skip to main content
The pflow settings command group manages pflow configuration stored in ~/.pflow/settings.json. This includes API keys, environment variables, and node filtering.
Your commands. These are setup commands that you run directly - not your agent. API keys and security settings should always be configured by you, never by an AI agent.

Commands

CommandDescription
initInitialize settings with defaults
showDisplay current settings
set-envSet an environment variable
unset-envRemove an environment variable
list-envList all environment variables
allowAdd an allow pattern
denyAdd a deny pattern
removeRemove a pattern
checkCheck if a node is allowed
resetReset to defaults

pflow settings init

Initialize settings file with defaults. 
pflow settings init
Creates ~/.pflow/settings.json with default configuration. Prompts for confirmation if the file already exists. Default settings: 
{
  "version": "1.0.0",
  "registry": {
    "nodes": {
      "allow": ["*"],
      "deny": []
    }
  },
  "env": {}
}

pflow settings show

Display current settings with sensitive values masked. 
pflow settings show
Output: 
Settings file: ~/.pflow/settings.json

Current settings:
{
  "version": "1.0.0",
  "registry": {
    "nodes": {
      "allow": ["*"],
      "deny": ["test.*"]
    }
  },
  "env": {
    "ANTHROPIC_API_KEY": "sk-***",
    "log_level": "debug"
  }
}
Sensitive values (API keys, tokens, secrets) are automatically masked. Use pflow settings list-env --show-values to see full values.

pflow settings set-env

Set an environment variable for pflow workflows. 
pflow settings set-env <KEY> <VALUE>
Arguments:
  • KEY - Environment variable name
  • VALUE - Environment variable value
Examples: 
# Set Anthropic API key (required for discovery features)
pflow settings set-env ANTHROPIC_API_KEY "sk-ant-..."

# Set other variables
pflow settings set-env GITHUB_TOKEN "ghp_..."
Output: 
✓ Set environment variable: ANTHROPIC_API_KEY
   Value: sk-***
Security: Always set API keys yourself - never let AI agents run this command.
Alternative: If you use Simon Willison’s llm, pflow will use those keys automatically. Run llm keys set anthropic instead.

pflow settings unset-env

Remove an environment variable. 
pflow settings unset-env <KEY>
Arguments:
  • KEY - Environment variable name to remove
Example: 
pflow settings unset-env GITHUB_TOKEN

pflow settings list-env

List all configured environment variables. 
pflow settings list-env [--show-values]
Options:
  • --show-values - Display full unmasked values (use with caution)
Examples: 
# List with masked values (safe)
pflow settings list-env

# List with full values (sensitive!)
pflow settings list-env --show-values
Output (masked): 
Environment variables:
  ANTHROPIC_API_KEY: sk-***
  GITHUB_TOKEN: ghp***
  LOG_LEVEL: debug
Only use --show-values in secure environments. Never let agents access unmasked credentials.

pflow settings allow

Add an allow pattern for node filtering. 
pflow settings allow <PATTERN>
Arguments:
  • PATTERN - Glob-style pattern for nodes to allow
Examples: 
# Allow all file nodes
pflow settings allow "pflow.nodes.file.*"

# Allow specific MCP tools
pflow settings allow "mcp-github-*"

# Allow specific node
pflow settings allow "llm"
Pattern syntax:
  • * matches any characters
  • ? matches single character
  • [seq] matches any character in seq

pflow settings deny

Add a deny pattern for node filtering. 
pflow settings deny <PATTERN>
Arguments:
  • PATTERN - Glob-style pattern for nodes to deny
Examples: 
# Block test nodes
pflow settings deny "pflow.nodes.test.*"

# Block dangerous operations
pflow settings deny "shell"
pflow settings deny "*-delete-*"
Deny patterns take precedence over allow patterns.

pflow settings remove

Remove a pattern from allow or deny list. 
pflow settings remove <PATTERN> [--allow|--deny]
Arguments:
  • PATTERN - Pattern to remove
Options:
  • --allow - Remove from allow list (default)
  • --deny - Remove from deny list
Examples: 
# Remove from deny list
pflow settings remove "test.*" --deny

# Remove from allow list
pflow settings remove "file.*" --allow

pflow settings check

Check if a node would be included based on current settings. 
pflow settings check <NODE_NAME>
Arguments:
  • NODE_NAME - Node name to check
Example: 
pflow settings check read-file
Output (included): 
✓ Node 'read-file' would be INCLUDED

  Matched allow patterns: file.*, *
Output (excluded): 
✗ Node 'echo' would be EXCLUDED

  Matched deny patterns: test.*

pflow settings reset

Reset settings to defaults. 
pflow settings reset
Prompts for confirmation before resetting. This removes all custom settings including API keys.
This deletes ALL custom settings including environment variables and API keys.

How node filtering works

Node filtering uses allow and deny patterns evaluated in this order:
  1. Test nodes - Hidden by default (enable with PFLOW_INCLUDE_TEST_NODES=true)
  2. Deny patterns - Block matching nodes (highest precedence)
  3. Allow patterns - Include matching nodes
  4. Default - Include if * in allow list
Example configuration: 
{
  "registry": {
    "nodes": {
      "allow": ["*"],
      "deny": ["test.*", "shell"]
    }
  }
}
This allows all nodes except test nodes and the shell node.

Environment variable precedence

When workflows need parameters, pflow looks in this order:
  1. CLI parameters (key=value arguments)
  2. Settings environment variables (pflow settings set-env)
  3. Workflow defaults
  4. Error if required and not found
Example: 
# Store API key once
pflow settings set-env OPENAI_API_KEY "sk-..."

# Workflows automatically use it
pflow my-llm-workflow  # No need to pass --param

Sensitive parameter detection

These keys are automatically masked in output:
  • password, passwd, pwd
  • token, api_token, access_token, auth_token
  • api_key, apikey, api-key
  • secret, client_secret, secret_key
  • private_key, ssh_key
Matching is case-insensitive.

File locations

PathPurpose
~/.pflow/settings.jsonSettings file