Problem Description
When starting OpenClaw or during a conversation, you may encounter API authentication errors:
[openclaw:gateway] Error: 401 Unauthorized - Invalid API key provided.
[openclaw:gateway] Provider: openai, Model: gpt-4o
Or an Anthropic authentication error:
[openclaw:gateway] Error: 401 - {"type":"error","error":{"type":"authentication_error","message":"invalid x-api-key"}}
Or a Google Gemini authentication failure:
[openclaw:gateway] Error: 403 - API key not valid. Please pass a valid API key.
An authentication error means OpenClaw cannot pass the AI model provider's identity verification, and the request is rejected. This is typically caused by an incorrectly configured, expired, or revoked API key.
Diagnostic Steps
Step 1: Verify the Key in the Configuration File
Check the current API key settings in your configuration (note that only partial characters of the key are displayed):
openclaw config show --unmask-partial
Example output:
providers.openai.apiKey: sk-proj-...Xk3a
providers.anthropic.apiKey: sk-ant-...9f2b
Confirm that the displayed key prefix and suffix match what you see in the provider's console.
Step 2: Directly Validate the API Key
Use curl to test whether each provider's API key is valid:
OpenAI:
curl https://api.openai.com/v1/models \
-H "Authorization: Bearer sk-your-key-here"
Anthropic:
curl https://api.anthropic.com/v1/messages \
-H "x-api-key: sk-ant-your-key-here" \
-H "anthropic-version: 2023-06-01" \
-H "content-type: application/json" \
-d '{"model":"claude-sonnet-4-20250514","max_tokens":10,"messages":[{"role":"user","content":"Hi"}]}'
Google Gemini:
curl "https://generativelanguage.googleapis.com/v1/models?key=YOUR_API_KEY"
If a 401 or 403 error is returned, the key itself is invalid.
Step 3: Check for Environment Variable Overrides
OpenClaw supports setting API keys via environment variables, which take priority over the configuration file. Check whether environment variables are overriding your settings:
env | grep -i "OPENCLAW\|OPENAI\|ANTHROPIC\|GEMINI"
If an incorrect key is set in an environment variable, it will override the correct key in the configuration file.
Solutions
Issue 1: Incorrect or Malformed API Key
Different providers have different API key formats:
- OpenAI: Starts with
sk-proj-orsk- - Anthropic: Starts with
sk-ant-api03- - Google Gemini: Typically a 39-character alphanumeric string
Check the configuration file for extra spaces, line breaks, or quoting issues:
cat -A ~/.openclaw/openclaw.json | grep apiKey
If line endings contain ^M (Windows line endings) or extra spaces, they need to be cleaned up.
The recommended way to update API keys:
openclaw config set providers.openai.apiKey "sk-proj-your-new-key"
openclaw config set providers.anthropic.apiKey "sk-ant-api03-your-new-key"
Using the openclaw config set command avoids formatting errors that can occur when manually editing JSON.
Issue 2: API Key Has Expired or Been Revoked
An API key may become invalid for the following reasons:
- The old key was manually revoked in the provider's console
- The key has reached its configured expiration time
- The provider force-rotated the key for security reasons
- Account billing issues caused the key to be suspended
The solution is to log into the corresponding provider's console and generate a new API key:
- OpenAI: platform.openai.com/api-keys
- Anthropic: console.anthropic.com/settings/keys
- Google AI Studio: aistudio.google.com/apikey
Update the new key in the OpenClaw configuration after generation.
Issue 3: Configure Multi-Provider Key Rotation
To prevent a single key failure from causing service interruption, configure key rotation and automatic validation:
{
"providers": {
"openai": {
"apiKeys": [
"sk-proj-primary-key",
"sk-proj-backup-key"
],
"keyValidation": {
"enabled": true,
"intervalMinutes": 60,
"removeInvalid": true
}
}
}
}
The keyValidation feature periodically checks the validity of each key. When it detects an invalid key, it automatically removes it from the rotation list and issues a warning in the logs.
Issue 4: Use Environment Variables for Secure Key Management
To avoid storing API keys in plaintext in configuration files, use environment variables:
export OPENCLAW_OPENAI_API_KEY="sk-proj-your-key"
export OPENCLAW_ANTHROPIC_API_KEY="sk-ant-api03-your-key"
Reference environment variables in the configuration file:
{
"providers": {
"openai": {
"apiKey": "${OPENCLAW_OPENAI_API_KEY}"
},
"anthropic": {
"apiKey": "${OPENCLAW_ANTHROPIC_API_KEY}"
}
}
}
If you use systemd to manage the OpenClaw service, configure environment variables in the service file:
[Service]
EnvironmentFile=/etc/openclaw/env
ExecStart=/usr/local/bin/openclaw start
Verifying the Fix
After updating the key, restart OpenClaw and verify:
openclaw restart
openclaw doctor
openclaw doctor performs API connectivity tests for all configured providers and displays the authentication status of each. If all providers show a green status, the authentication issue has been resolved.
You can also manually trigger a test request:
openclaw test-message --channel telegram --text "Test message"
Check the logs to confirm the message was processed successfully.