PracticeBeginner

Configuration Files

Configuration files externalise a trading system's parameters, credentials and environment settings out of the code, so the same tested code can run against paper or live, with different strategy parameters, without editing or re-deploying the program.

Quick answer: Configuration files externalise a trading system's parameters, credentials and environment settings out of the code, so the same tested code can run against paper or live, with different strategy parameters, without editing or re-deploying the program.

In simple words

A configuration file holds the settings your trading program needs, such as which strategy parameters to use, which broker account, and whether it is paper or live, kept separate from the code itself. This means you can change behaviour by editing a settings file rather than the program, and you never hard-code passwords or API keys into your source. Formats like YAML, JSON and environment variables are the usual ways to store this.

Purpose

Configuration exists to separate what changes between runs and environments (parameters, credentials, endpoints) from the code that stays the same, so the identical tested binary can be safely promoted from paper to live.

Professional explanation

Config versus code: the core principle

The guiding rule is that code is the logic and configuration is the settings that the logic reads. Anything that legitimately varies between runs, environments or accounts, strategy parameters, capital allocation, the broker endpoint, the log level, whether this is paper or live, belongs in configuration, not baked into source. The benefit is that the exact same tested code artefact runs everywhere, and you change behaviour by changing config, which is a smaller, auditable change than editing and re-deploying code. This is a well-established software principle (often summarised as strict separation of config from code) and it is doubly important in trading, where an accidental code edit to change one number risks introducing a bug into a money-handling system.

Formats: YAML, JSON, TOML and env vars

Common formats each have a niche. JSON is ubiquitous and machine-friendly but verbose and comment-less. YAML is human-friendly with comments and is popular for rich, nested strategy configuration, though its whitespace sensitivity and surprising type coercions (the classic case where an unquoted country code or on/off is misread) are real footguns. TOML is a middle ground favoured for clear, flat configuration. Environment variables are the standard for a small number of deployment-specific values and, especially, secrets, because they are injected by the runtime rather than stored in a file. A typical system layers these: a versioned YAML/TOML file for non-secret parameters, overridden by environment variables for secrets and per-environment differences.

Secrets must be handled differently

API keys, tokens, passwords and access secrets are configuration, but they must never be committed to version control or sit in a plaintext file in the repository. A leaked broker API key can let someone trade or drain an account. The standard practices are: keep secrets out of the repo (a gitignored local file, environment variables, or a dedicated secrets manager or vault), inject them at runtime, rotate them periodically, and give each environment its own credentials so a paper key can never accidentally place a live order. A common pattern is to commit a template (config.example.yaml with blank secret fields) so collaborators know the shape without exposing values.

Environments: paper, staging, live

A serious trading setup runs the same code in multiple environments, at minimum paper (or simulation) and live, often with a staging step in between. Each environment has its own config: paper points at the broker's sandbox or a simulator with test credentials and perhaps looser limits, while live points at the real broker with tight risk limits and real credentials. Selecting the environment is itself a config decision, usually an environment variable like ENV=paper or ENV=live that chooses which config file or profile loads. The discipline of explicit environments prevents the catastrophic mistake of pointing test code at a live account, and it makes the promotion from paper to live a config change rather than a code change.

Validation, defaults and precedence

Configuration should be validated on load, not trusted blindly, because a typo in a settings file can be as dangerous as a bug in code, imagine a stop-loss percentage entered as 50 instead of 0.5. Robust systems define a schema (with a library or explicit checks), fail fast with a clear error if a required value is missing or out of range, and apply sensible, safe defaults. They also define a clear precedence order, typically command-line flags override environment variables, which override the config file, which overrides built-in defaults, so it is unambiguous which value wins. Logging the effective, resolved configuration at start-up (with secrets redacted) makes it auditable exactly what settings a live run used.

Configuration and reproducibility

Because configuration determines behaviour, it is part of what must be reproducible. The non-secret config that a live strategy runs under should be version-controlled and tagged alongside the code, so you can answer precisely which parameters were live on a given day. Pairing a code version tag with its config means a past run can be reconstructed exactly, which matters for debugging a live incident or for any audit. Secrets are excluded from this history, but the parameter set that shaped the trading is not, so a change to a strategy parameter is tracked with the same rigour as a change to code.

Config storage options

MechanismBest forWatch out for
JSON fileMachine-generated, simple configNo comments, verbose, easy to mis-edit
YAML fileRich, nested human-edited paramsWhitespace and type-coercion surprises
TOML fileClear flat configLess common in some ecosystems
Environment variablesSecrets and per-environment valuesFlat strings only; must be injected securely
Secrets manager / vaultProduction credentialsExtra infrastructure to run

Practical example

Illustrative example (Indian market)

Suppose your Nifty strategy has a config.yaml with entry_zscore: 2.0, lookback: 20, lots: 1 and daily_loss_limit: 25000, plus an env value ENV that selects the environment. In paper, ENV=paper loads paper credentials pointing at the broker sandbox; to go live you set ENV=live so the same code loads live credentials and perhaps a tighter daily_loss_limit, with no code edit at all. The broker API key never appears in config.yaml; it is injected as an environment variable and the file is gitignored, while a config.example.yaml with blank keys is committed so a teammate knows the structure. On start-up the system validates that lookback is a positive integer and daily_loss_limit is within an allowed range, and logs the resolved config with the API key redacted. This is an illustrative setup, not a parameter recommendation.

For Indian broker APIs, the api_key and access token (for example a Kite Connect key and daily access token) are the classic secrets that must live in environment variables or a vault, never in a committed file, since they can place real NSE orders. Keeping lot sizes, expiry selection and per-strategy limits in a versioned YAML file, separate from those secrets, is the common clean pattern.

Advantages

  • Same tested code runs in paper and live by changing config, not code
  • Secrets stay out of source code and version control
  • Strategy parameters are auditable and version-controlled separately from logic
  • Explicit environments prevent test code from hitting a live account
  • Changing behaviour becomes a small, reviewable config change rather than a code edit

Limitations

  • A typo in config (for example a mis-scaled stop) can be as dangerous as a code bug
  • YAML's whitespace and type coercion cause subtle, hard-to-spot errors
  • Environment variables are flat strings, awkward for deeply nested settings
  • Secrets management adds operational complexity (injection, rotation, vaults)
  • Config sprawl across many files and overrides can become hard to reason about

Common mistakes

  • Hard-coding API keys or passwords in source code or committing them to the repository
  • Editing code to change a parameter instead of externalising it into configuration
  • Sharing one set of credentials across paper and live, risking a test run placing live orders
  • Not validating config on load, so a mis-scaled value like a 50 percent stop silently goes live
  • Committing a real secrets file instead of a blank template (config.example)
  • Leaving the precedence between flags, env vars and files ambiguous, so nobody knows which value wins

Professional usage

Professional teams treat configuration as a first-class, audited part of the system. Non-secret parameters live in version-controlled files (YAML/TOML) with a validated schema and fail-fast checks; secrets live in a managed vault or injected environment variables, rotated regularly and scoped per environment. A clear precedence order (flags over env over file over defaults) is documented, and the resolved configuration is logged at start-up with secrets redacted. Promotion from paper to staging to live is a config selection, not a code change, and every live run's parameter set is tied to a code version tag so it can be reconstructed for debugging or audit.

Key takeaways

  • Keep settings in configuration and logic in code, so one tested artefact runs everywhere
  • Use YAML/TOML/JSON for parameters and environment variables or a vault for secrets
  • Never commit API keys or passwords; inject secrets at runtime and scope them per environment
  • Separate paper and live environments explicitly to avoid pointing test code at a live account
  • Validate config on load and version-control the parameter set for reproducibility

Frequently asked questions

What is a configuration file in a trading system?
It is a file (commonly YAML, JSON or TOML) that holds the settings the program reads at runtime, such as strategy parameters, risk limits, the broker endpoint and the environment, kept separate from the code. It lets you change behaviour by editing settings rather than editing and re-deploying the program.
Why separate configuration from code?
Because the same tested code can then run in every environment, with behaviour driven by config. Changing a parameter becomes a small, auditable config change rather than a code edit that risks introducing a bug into a money-handling system, which is the software principle of separating config from code.
Where should I store API keys for trading?
Never in source code or a committed file. Store them in environment variables or a dedicated secrets manager or vault, inject them at runtime, rotate them periodically, and use separate credentials per environment so a paper key cannot place a live order.
What is the difference between config and secrets?
Config is all runtime settings; secrets are the sensitive subset, API keys, tokens and passwords, that grant access and must be protected. Non-secret config can be version-controlled in a file, but secrets must be kept out of the repository and injected securely.
Should I use YAML or JSON for trading config?
YAML is more human-friendly with comments and nesting, which suits hand-edited strategy parameters, but its whitespace sensitivity and type coercions can bite. JSON is simpler and machine-friendly but has no comments. Many teams use YAML or TOML for parameters and environment variables for secrets and per-environment values.
How do I manage paper and live environments?
Give each environment its own config and credentials, and select between them with an explicit switch such as an ENV environment variable. Paper points at the broker sandbox or a simulator; live points at the real broker with tighter limits. Promotion from paper to live then becomes a config change, not a code change.
Why should configuration be validated on load?
Because a typo in a settings file can be as dangerous as a code bug, for example a stop-loss entered as 50 instead of 0.5. Validating against a schema and failing fast with a clear error when a value is missing or out of range stops a bad setting from reaching a live account.
What is a config.example file?
It is a committed template showing the structure of the configuration with blank or placeholder secret values, so collaborators know what settings are needed without the real secrets ever being exposed in version control. The real secrets file is kept out of the repository.
What is precedence in configuration?
It is the defined order in which sources override each other, typically command-line flags over environment variables over the config file over built-in defaults. A clear precedence order makes it unambiguous which value actually takes effect when the same setting is defined in more than one place.
Should configuration be version-controlled?
Non-secret configuration, yes, so the parameter set a live strategy ran under is tracked and reproducible alongside the code. Secrets must be excluded from version control. Tying the config to a code version tag lets you reconstruct exactly what ran on a given day.
Can I just use a Python file for configuration?
You can, and it allows logic, but it also lets arbitrary code and complexity creep into settings and makes non-programmers wary of editing it. A declarative file (YAML/TOML/JSON) plus environment variables is usually safer and clearer, keeping config as data rather than code.
What happens if I hard-code parameters instead of using config?
Every parameter change becomes a code edit and re-deploy, which is slower, riskier and harder to audit, and it tempts you to test a modified version rather than the deployed one. Externalising parameters keeps the tested code fixed and makes changes small and reviewable.
How does configuration relate to reproducibility?
Behaviour depends on both code and config, so reproducing a past run requires both. Version-controlling the non-secret config and tagging it with the code version means you can reconstruct precisely which parameters were live on a given day, which is essential for debugging incidents and for audit.

Voice search & related questions

Natural-language questions people ask about Configuration Files.

What is a configuration file for trading?
It is a settings file that holds things like your strategy parameters and whether you are running paper or live, kept separate from the program code so you can change behaviour without editing the code.
Where should I keep my API keys?
Never in your code or in a file you commit. Keep them in environment variables or a secrets vault and load them at runtime, with different keys for paper and live.
Why separate settings from code?
So the same tested program can run everywhere and you change how it behaves by editing settings, which is safer than editing the code and risking a bug.
How do I switch between paper and live trading safely?
Give each its own settings and credentials and pick between them with a simple environment switch, so live code never accidentally uses paper settings or the reverse.
Is YAML or JSON better for config?
YAML is friendlier for people to edit and allows comments, JSON is simpler for machines. Many people use YAML for parameters and environment variables for secret keys.
Why validate a config file?
Because a small typo, like writing a stop as 50 instead of 0.5, could be as harmful as a code bug, so checking values on load and failing early prevents a bad setting going live.

Sources & references

    Last reviewed 11 July 2026. Educational content only — not investment advice. Markets and rules change; verify current conventions with SEBI, NSE/BSE and your broker.

    Educational content only — not investment advice. Examples use illustrative numbers and simplified models. Algorithmic trading and derivatives involve substantial risk. See our Risk Disclosure and SEBI Disclaimer.