Configuration Files
Configuration files externalise a trading system's parameters, credentials and environment settings out of the code, so the same tested code can run against paper or live, with different strategy parameters, without editing or re-deploying the program.
Quick answer: Configuration files externalise a trading system's parameters, credentials and environment settings out of the code, so the same tested code can run against paper or live, with different strategy parameters, without editing or re-deploying the program.
In simple words
A configuration file holds the settings your trading program needs, such as which strategy parameters to use, which broker account, and whether it is paper or live, kept separate from the code itself. This means you can change behaviour by editing a settings file rather than the program, and you never hard-code passwords or API keys into your source. Formats like YAML, JSON and environment variables are the usual ways to store this.
Purpose
Configuration exists to separate what changes between runs and environments (parameters, credentials, endpoints) from the code that stays the same, so the identical tested binary can be safely promoted from paper to live.
Professional explanation
Config versus code: the core principle
The guiding rule is that code is the logic and configuration is the settings that the logic reads. Anything that legitimately varies between runs, environments or accounts, strategy parameters, capital allocation, the broker endpoint, the log level, whether this is paper or live, belongs in configuration, not baked into source. The benefit is that the exact same tested code artefact runs everywhere, and you change behaviour by changing config, which is a smaller, auditable change than editing and re-deploying code. This is a well-established software principle (often summarised as strict separation of config from code) and it is doubly important in trading, where an accidental code edit to change one number risks introducing a bug into a money-handling system.
Formats: YAML, JSON, TOML and env vars
Common formats each have a niche. JSON is ubiquitous and machine-friendly but verbose and comment-less. YAML is human-friendly with comments and is popular for rich, nested strategy configuration, though its whitespace sensitivity and surprising type coercions (the classic case where an unquoted country code or on/off is misread) are real footguns. TOML is a middle ground favoured for clear, flat configuration. Environment variables are the standard for a small number of deployment-specific values and, especially, secrets, because they are injected by the runtime rather than stored in a file. A typical system layers these: a versioned YAML/TOML file for non-secret parameters, overridden by environment variables for secrets and per-environment differences.
Secrets must be handled differently
API keys, tokens, passwords and access secrets are configuration, but they must never be committed to version control or sit in a plaintext file in the repository. A leaked broker API key can let someone trade or drain an account. The standard practices are: keep secrets out of the repo (a gitignored local file, environment variables, or a dedicated secrets manager or vault), inject them at runtime, rotate them periodically, and give each environment its own credentials so a paper key can never accidentally place a live order. A common pattern is to commit a template (config.example.yaml with blank secret fields) so collaborators know the shape without exposing values.
Environments: paper, staging, live
A serious trading setup runs the same code in multiple environments, at minimum paper (or simulation) and live, often with a staging step in between. Each environment has its own config: paper points at the broker's sandbox or a simulator with test credentials and perhaps looser limits, while live points at the real broker with tight risk limits and real credentials. Selecting the environment is itself a config decision, usually an environment variable like ENV=paper or ENV=live that chooses which config file or profile loads. The discipline of explicit environments prevents the catastrophic mistake of pointing test code at a live account, and it makes the promotion from paper to live a config change rather than a code change.
Validation, defaults and precedence
Configuration should be validated on load, not trusted blindly, because a typo in a settings file can be as dangerous as a bug in code, imagine a stop-loss percentage entered as 50 instead of 0.5. Robust systems define a schema (with a library or explicit checks), fail fast with a clear error if a required value is missing or out of range, and apply sensible, safe defaults. They also define a clear precedence order, typically command-line flags override environment variables, which override the config file, which overrides built-in defaults, so it is unambiguous which value wins. Logging the effective, resolved configuration at start-up (with secrets redacted) makes it auditable exactly what settings a live run used.
Configuration and reproducibility
Because configuration determines behaviour, it is part of what must be reproducible. The non-secret config that a live strategy runs under should be version-controlled and tagged alongside the code, so you can answer precisely which parameters were live on a given day. Pairing a code version tag with its config means a past run can be reconstructed exactly, which matters for debugging a live incident or for any audit. Secrets are excluded from this history, but the parameter set that shaped the trading is not, so a change to a strategy parameter is tracked with the same rigour as a change to code.
Config storage options
| Mechanism | Best for | Watch out for |
|---|---|---|
| JSON file | Machine-generated, simple config | No comments, verbose, easy to mis-edit |
| YAML file | Rich, nested human-edited params | Whitespace and type-coercion surprises |
| TOML file | Clear flat config | Less common in some ecosystems |
| Environment variables | Secrets and per-environment values | Flat strings only; must be injected securely |
| Secrets manager / vault | Production credentials | Extra infrastructure to run |
Practical example
Illustrative example (Indian market)
Suppose your Nifty strategy has a config.yaml with entry_zscore: 2.0, lookback: 20, lots: 1 and daily_loss_limit: 25000, plus an env value ENV that selects the environment. In paper, ENV=paper loads paper credentials pointing at the broker sandbox; to go live you set ENV=live so the same code loads live credentials and perhaps a tighter daily_loss_limit, with no code edit at all. The broker API key never appears in config.yaml; it is injected as an environment variable and the file is gitignored, while a config.example.yaml with blank keys is committed so a teammate knows the structure. On start-up the system validates that lookback is a positive integer and daily_loss_limit is within an allowed range, and logs the resolved config with the API key redacted. This is an illustrative setup, not a parameter recommendation.
For Indian broker APIs, the api_key and access token (for example a Kite Connect key and daily access token) are the classic secrets that must live in environment variables or a vault, never in a committed file, since they can place real NSE orders. Keeping lot sizes, expiry selection and per-strategy limits in a versioned YAML file, separate from those secrets, is the common clean pattern.
Advantages
- Same tested code runs in paper and live by changing config, not code
- Secrets stay out of source code and version control
- Strategy parameters are auditable and version-controlled separately from logic
- Explicit environments prevent test code from hitting a live account
- Changing behaviour becomes a small, reviewable config change rather than a code edit
Limitations
- A typo in config (for example a mis-scaled stop) can be as dangerous as a code bug
- YAML's whitespace and type coercion cause subtle, hard-to-spot errors
- Environment variables are flat strings, awkward for deeply nested settings
- Secrets management adds operational complexity (injection, rotation, vaults)
- Config sprawl across many files and overrides can become hard to reason about
Common mistakes
- Hard-coding API keys or passwords in source code or committing them to the repository
- Editing code to change a parameter instead of externalising it into configuration
- Sharing one set of credentials across paper and live, risking a test run placing live orders
- Not validating config on load, so a mis-scaled value like a 50 percent stop silently goes live
- Committing a real secrets file instead of a blank template (config.example)
- Leaving the precedence between flags, env vars and files ambiguous, so nobody knows which value wins
Professional usage
Professional teams treat configuration as a first-class, audited part of the system. Non-secret parameters live in version-controlled files (YAML/TOML) with a validated schema and fail-fast checks; secrets live in a managed vault or injected environment variables, rotated regularly and scoped per environment. A clear precedence order (flags over env over file over defaults) is documented, and the resolved configuration is logged at start-up with secrets redacted. Promotion from paper to staging to live is a config selection, not a code change, and every live run's parameter set is tied to a code version tag so it can be reconstructed for debugging or audit.
Key takeaways
- Keep settings in configuration and logic in code, so one tested artefact runs everywhere
- Use YAML/TOML/JSON for parameters and environment variables or a vault for secrets
- Never commit API keys or passwords; inject secrets at runtime and scope them per environment
- Separate paper and live environments explicitly to avoid pointing test code at a live account
- Validate config on load and version-control the parameter set for reproducibility
Frequently asked questions
What is a configuration file in a trading system?
Why separate configuration from code?
Where should I store API keys for trading?
What is the difference between config and secrets?
Should I use YAML or JSON for trading config?
How do I manage paper and live environments?
Why should configuration be validated on load?
What is a config.example file?
What is precedence in configuration?
Should configuration be version-controlled?
Can I just use a Python file for configuration?
What happens if I hard-code parameters instead of using config?
How does configuration relate to reproducibility?
Voice search & related questions
Natural-language questions people ask about Configuration Files.
What is a configuration file for trading?
Where should I keep my API keys?
Why separate settings from code?
How do I switch between paper and live trading safely?
Is YAML or JSON better for config?
Why validate a config file?
Sources & references
Last reviewed 11 July 2026. Educational content only — not investment advice. Markets and rules change; verify current conventions with SEBI, NSE/BSE and your broker.