docs/gateway/secrets.md
OpenClaw supports additive SecretRefs so supported credentials do not need to live as plaintext in configuration.
<Note> Plaintext still works. SecretRefs are opt-in per credential. </Note> <Warning> Plaintext credentials remain agent-readable if they sit in files the agent can inspect, including `openclaw.json`, `auth-profiles.json`, `.env`, or generated `agents/*/agent/models.json` files. SecretRefs only reduce that local blast radius once every supported credential is migrated and `openclaw secrets audit --check` reports no plaintext residue. </Warning>This keeps secret-provider outages off hot request paths.
For model-provider credentials backed by SecretRefs, OpenClaw mints an opaque, process-local sentinel during model-auth resolution. Auth storage, stream options, SDK configuration, logs, error objects, and most runtime introspection therefore see a value such as oc-sent-v1-..., not the provider credential. The guarded model fetch and managed local-provider health probes replace known sentinels in URL and header values immediately before each request leaves the process.
Unknown sentinel-shaped values fail closed before network activity. OpenClaw refuses to send the request rather than forwarding an unresolved sentinel to a provider. Resolved secret values are also registered for exact-value log redaction as a defense in depth measure.
Provider adapters use the latest injection point their SDK supports:
Sentinels reduce plaintext exposure across the model-call chain, but they are not process isolation. The real value still exists in same-process memory and appears at the final adapter boundary. Plain environment credentials that are not configured through SecretRefs remain plaintext and are outside this mechanism.
Set OPENCLAW_SECRET_SENTINELS=off (also accepts 0 or false, case-insensitive) to disable sentinel minting during incident response or compatibility troubleshooting. The kill switch does not disable exact-value redaction registration.
SecretRefs stop credentials from being persisted in config and generated model files, but they are not a process-isolation boundary. A plaintext credential left on disk in a path the agent can read is still readable via file or shell tools, bypassing API-level redaction.
For production deployments where agent-accessible files are in scope, treat migration as complete only when all of these hold:
openclaw.json, auth-profiles.json, .env, and generated models.json files.openclaw secrets audit --check is clean after migration.This is why the audit/configure/apply workflow is a security migration gate, not just a convenience helper.
<Warning> SecretRefs do not make arbitrary readable files safe. Backups, copied configs, old generated model catalogs, and unsupported credential classes stay production secrets until deleted, moved outside the agent trust boundary, or isolated separately. </Warning>SecretRefs are validated only on effectively active surfaces:
SECRETS_REF_IGNORED_INACTIVE_SURFACE diagnostic.When a SecretRef is set on gateway.auth.token, gateway.auth.password, gateway.remote.token, or gateway.remote.password, gateway startup/reload logs the surface state under code SECRETS_GATEWAY_AUTH_SURFACE:
active: the SecretRef is part of the effective auth surface and must resolve.inactive: another auth surface wins, or remote auth is disabled/not active.The log entry includes the reason the active-surface policy used.
In interactive onboarding, choosing SecretRef storage runs preflight validation before saving:
file or exec): validates provider selection, resolves id, and checks the resolved value type.gateway.auth.token is already a SecretRef, onboarding resolves it before probe/dashboard bootstrap (for env, file, and exec refs) using the same fail-fast gate.Validation failure shows the error and lets you retry.
One object shape everywhere:
{ source: "env" | "file" | "exec", provider: "default", id: "..." }
Shorthand strings are also accepted on SecretInput fields:
```json5
"${OPENAI_API_KEY}"
"$OPENAI_API_KEY"
```
Validation:
- `provider` must match `^[a-z][a-z0-9_-]{0,63}$`
- `id` must match `^[A-Z][A-Z0-9_]{0,127}$`
Validation:
- `provider` must match `^[a-z][a-z0-9_-]{0,63}$`
- `id` must be an absolute JSON pointer (`/...`), or the literal `value` for `singleValue` providers
- RFC 6901 escaping in segments: `~` becomes `~0`, `/` becomes `~1`
Validation:
- `provider` must match `^[a-z][a-z0-9_-]{0,63}$`
- `id` must match `^[A-Za-z0-9][A-Za-z0-9._:/#-]{0,255}$` (supports selectors such as `secret#json_key`)
- `id` must not contain `.` or `..` as slash-delimited path segments (for example `a/../b` is rejected)
Define providers under secrets.providers:
{
secrets: {
providers: {
default: { source: "env" },
filemain: {
source: "file",
path: "~/.openclaw/secrets.json",
mode: "json", // or "singleValue"
},
vault: {
source: "exec",
command: "/usr/local/bin/openclaw-vault-resolver",
args: ["--profile", "prod"],
passEnv: ["PATH", "VAULT_ADDR"],
jsonOnly: true,
},
"team-secrets": {
source: "exec",
pluginIntegration: {
pluginId: "acme-secrets",
integrationId: "secret-store",
},
},
},
defaults: {
env: "default",
file: "filemain",
exec: "vault",
},
resolution: {
maxProviderConcurrency: 4,
maxRefsPerProvider: 512,
maxBatchBytes: 262144,
},
},
}
Request payload (stdin):
{ "protocolVersion": 1, "provider": "vault", "ids": ["providers/openai/apiKey"] }
Response payload (stdout):
{ "protocolVersion": 1, "values": { "providers/openai/apiKey": "<openai-api-key>" } } // pragma: allowlist secret
Optional per-id errors:
{
"protocolVersion": 1,
"values": {},
"errors": { "providers/openai/apiKey": { "message": "not found" } }
}
Do not put file:... strings in the config env block. That block is literal and non-overriding, so file:... is never resolved there.
Use a file SecretRef on a supported credential field instead:
{
secrets: {
providers: {
xai_key_file: {
source: "file",
path: "~/.openclaw/secrets/xai-api-key.txt",
mode: "singleValue",
},
},
},
models: {
providers: {
xai: {
apiKey: { source: "file", provider: "xai_key_file", id: "value" },
},
},
},
}
For mode: "singleValue", the SecretRef id is "value". For mode: "json", use an absolute JSON pointer such as "/providers/xai/apiKey".
See SecretRef Credential Surface for the fields that accept SecretRefs.
Requirements:
- Bitwarden Secrets Manager CLI (`bws`) installed on the Gateway host.
- `BWS_ACCESS_TOKEN` available to the Gateway service.
- `PATH` passed to the resolver, or `BWS_BIN` set to the absolute `bws` binary path.
- `BWS_SERVER_URL` set in the environment when using a self-hosted Bitwarden instance.
```json5
{
secrets: {
providers: {
bws: {
source: "exec",
command: "/usr/local/bin/openclaw-bws-resolver.mjs",
passEnv: ["BWS_ACCESS_TOKEN", "BWS_SERVER_URL", "PATH", "BWS_BIN"],
jsonOnly: true,
},
},
},
models: {
providers: {
openai: {
baseUrl: "https://api.openai.com/v1",
models: [{ id: "gpt-5", name: "gpt-5" }],
apiKey: {
source: "exec",
provider: "bws",
id: "openclaw/providers/openai/apiKey",
},
},
},
},
}
```
The resolver batches requested ids, runs `bws secret list`, and returns values for matching secret `key` fields. Use keys that satisfy the exec SecretRef id contract, such as `openclaw/providers/openai/apiKey`; env-var-style keys with underscores are rejected before the resolver runs. If more than one visible Bitwarden secret shares the requested key, the resolver fails that id as ambiguous instead of guessing. After updating config, verify the resolver path:
```bash
openclaw secrets audit --allow-exec
```
```js
#!/usr/bin/env node
const { spawnSync } = require("node:child_process");
let stdin = "";
process.stdin.setEncoding("utf8");
process.stdin.on("data", (chunk) => {
stdin += chunk;
});
process.stdin.on("error", (err) => {
process.stderr.write(`${err.message}\n`);
process.exit(1);
});
process.stdin.on("end", () => {
let request;
try {
request = JSON.parse(stdin || "{}");
} catch (err) {
process.stderr.write(`Failed to parse request: ${err.message}\n`);
process.exit(1);
}
const passBin = process.env.PASS_BIN || "pass";
const values = {};
const errors = {};
for (const id of request.ids ?? []) {
const result = spawnSync(passBin, ["show", id], { encoding: "utf8" });
if (result.status === 0) {
values[id] = result.stdout.split(/\r?\n/, 1)[0] ?? "";
} else {
errors[id] = { message: (result.stderr || `pass exited ${result.status}`).trim() };
}
}
process.stdout.write(JSON.stringify({ protocolVersion: 1, values, errors }));
});
```
Then configure the exec provider and point `apiKey` at the `pass` entry path:
```json5
{
secrets: {
providers: {
pass_store: {
source: "exec",
command: "/usr/local/bin/openclaw-pass-resolver",
passEnv: ["PATH", "HOME", "GNUPGHOME", "GPG_TTY", "PASSWORD_STORE_DIR", "PASS_BIN"],
jsonOnly: true,
},
},
},
models: {
providers: {
openai: {
baseUrl: "https://api.openai.com/v1",
models: [{ id: "gpt-5", name: "gpt-5" }],
apiKey: {
source: "exec",
provider: "pass_store",
id: "openclaw/providers/openai/apiKey",
},
},
},
},
}
```
Keep the secret on the first line of the `pass` entry, or customize the wrapper to return the full `pass show` output instead. After updating config, verify both the static audit and the exec resolver path:
```bash
openclaw secrets audit --check
openclaw secrets audit --allow-exec
```
MCP server env vars configured via plugins.entries.acpx.config.mcpServers accept SecretInput, keeping API keys and tokens out of plaintext config:
{
plugins: {
entries: {
acpx: {
enabled: true,
config: {
mcpServers: {
github: {
command: "npx",
args: ["-y", "@modelcontextprotocol/server-github"],
env: {
GITHUB_PERSONAL_ACCESS_TOKEN: {
source: "env",
provider: "default",
id: "MCP_GITHUB_PAT",
},
},
},
},
},
},
},
},
}
Plaintext string values still work. Env-template refs like ${MCP_SERVER_API_KEY} and SecretRef objects resolve during gateway activation, before the MCP server process spawns. As with other SecretRef surfaces, unresolved refs only block activation when the acpx plugin is effectively active.
The core ssh sandbox backend also supports SecretRefs for SSH auth material:
{
agents: {
defaults: {
sandbox: {
mode: "all",
backend: "ssh",
ssh: {
target: "user@gateway-host:22",
identityData: { source: "env", provider: "default", id: "SSH_IDENTITY" },
certificateData: { source: "env", provider: "default", id: "SSH_CERTIFICATE" },
knownHostsData: { source: "env", provider: "default", id: "SSH_KNOWN_HOSTS" },
},
},
},
},
}
Runtime behavior:
0o600) and used in the generated SSH config.ssh (or sandbox mode is off), these refs stay inactive and do not block startup.Canonical supported and unsupported credentials are listed in SecretRef Credential Surface.
<Note> Runtime-minted or rotating credentials and OAuth refresh material are intentionally excluded from read-only SecretRef resolution. </Note>__OPENCLAW_REDACTED__ is reserved for internal config redaction/restore and is rejected as literal submitted config data.Warning and audit signals:
SECRETS_REF_OVERRIDES_PLAINTEXT (runtime warning)REF_SHADOWED (audit finding when auth-profiles.json credentials take precedence over openclaw.json refs)Google Chat compatibility: serviceAccountRef takes precedence over plaintext serviceAccount; the plaintext value is ignored once the sibling ref is set.
Secret activation runs on:
secrets.reloadconfig.set / config.apply / config.patch), checking active-surface SecretRef resolvability within the submitted config payload before persisting editsActivation contract:
secrets.reload.When reload-time activation fails after a healthy state, OpenClaw enters degraded secrets state, emitting one-shot system events and log codes:
SECRETS_RELOADER_DEGRADEDSECRETS_RELOADER_RECOVEREDBehavior:
Command paths can opt into supported SecretRef resolution via a gateway snapshot RPC. Two broad behaviors apply:
<Tabs> <Tab title="Strict command paths"> For example `openclaw memory` remote-memory paths and `openclaw qr --remote` when it needs remote shared-secret refs. They read from the active snapshot and fail fast when a required SecretRef is unavailable. </Tab> <Tab title="Read-only command paths"> For example `openclaw status`, `openclaw status --all`, `openclaw channels status`, `openclaw channels resolve`, `openclaw security audit`, and read-only doctor/config repair flows. They also prefer the active snapshot, but degrade instead of aborting when a targeted SecretRef is unavailable.Read-only behavior:
- When the gateway is running, these commands read from the active snapshot first.
- If gateway resolution is incomplete or the gateway is unavailable, they attempt a targeted local fallback for that command surface.
- If a targeted SecretRef is still unavailable, the command continues with degraded read-only output and an explicit diagnostic that the ref is configured but unavailable in this command path.
- This degraded behavior is command-local only; it does not weaken runtime startup, reload, or send/auth paths.
Other notes:
openclaw secrets reload.secrets.resolve.Default operator flow:
<Steps> <Step title="Audit current state"> ```bash openclaw secrets audit --check ``` </Step> <Step title="Configure and apply SecretRefs"> ```bash openclaw secrets configure --apply ``` </Step> <Step title="Re-audit"> ```bash openclaw secrets audit --check ``` </Step> </Steps>Do not treat the migration as complete until the re-audit is clean. If the audit still reports plaintext values at rest, the agent-access risk remains even when runtime APIs return redacted values.
If you save a plan instead of applying during configure, apply that saved plan with openclaw secrets apply --from <plan-path> before the re-audit.
- Plaintext values at rest (`openclaw.json`, `auth-profiles.json`, `.env`, and generated `agents/*/agent/models.json`).
- Plaintext sensitive provider header residues in generated `models.json` entries.
- Unresolved refs.
- Precedence shadowing (`auth-profiles.json` taking priority over `openclaw.json` refs).
- Legacy residues (`auth.json`, OAuth reminders).
Exec note: by default, audit skips exec SecretRef resolvability checks to avoid command side effects. Use `openclaw secrets audit --allow-exec` to execute exec providers during audit.
Header residue note: sensitive provider header detection is name-heuristic based (common auth/credential header names and fragments such as `authorization`, `x-api-key`, `token`, `secret`, `password`, and `credential`).
- Configures `secrets.providers` first (`env`/`file`/`exec`, add/edit/remove).
- Lets you select supported secret-bearing fields in `openclaw.json` plus `auth-profiles.json` for one agent scope.
- Can create a new `auth-profiles.json` mapping directly in the target picker.
- Captures SecretRef details (`source`, `provider`, `id`).
- Runs preflight resolution and can apply immediately.
Exec note: preflight skips exec SecretRef checks unless `--allow-exec` is set. If you apply directly from `configure --apply` and the plan includes exec refs/providers, keep `--allow-exec` set for the apply step too.
Helpful modes:
- `openclaw secrets configure --providers-only`
- `openclaw secrets configure --skip-provider-setup`
- `openclaw secrets configure --agent <id>`
`configure` apply defaults:
- Scrub matching static credentials from `auth-profiles.json` for targeted providers.
- Scrub legacy static `api_key` entries from `auth.json`.
- Scrub matching known secret lines from `<config-dir>/.env`.
```bash
openclaw secrets apply --from /tmp/openclaw-secrets-plan.json
openclaw secrets apply --from /tmp/openclaw-secrets-plan.json --allow-exec
openclaw secrets apply --from /tmp/openclaw-secrets-plan.json --dry-run
openclaw secrets apply --from /tmp/openclaw-secrets-plan.json --dry-run --allow-exec
```
Exec note: dry-run skips exec checks unless `--allow-exec` is set; write mode rejects plans containing exec SecretRefs/providers unless `--allow-exec` is set.
For strict target/path contract details and exact rejection rules, see [Secrets Apply Plan Contract](/gateway/secrets-plan-contract).
Safety model:
For static credentials, runtime no longer depends on plaintext legacy auth storage.
api_key entries are scrubbed when discovered.Some SecretInput unions are easier to configure in raw editor mode than in form mode.