Home Tutorials Categories Skills About
ZH EN JA KO
Security-Ops

openclaw secrets: Secret Management Command Guide

· 8 min read

Command Overview

The openclaw secrets command provides secure storage and management for secrets. All sensitive information (API keys, tokens, etc.) should be managed through this command rather than written directly in configuration files.

Basic Operations

Set a Secret

openclaw secrets set OPENAI_API_KEY "sk-your-key-here"
openclaw secrets set TELEGRAM_BOT_TOKEN "123456:ABC-DEF"

Read from standard input (avoids the secret appearing in command history):

openclaw secrets set OPENAI_API_KEY --stdin
# Enter the key, then press Ctrl+D

Read from a file:

openclaw secrets set SSL_CERT --from-file /path/to/cert.pem

View Secret List

openclaw secrets list

Stored Secrets:
  Name                  Set Date      Last Used
  ─────────────────────────────────────────────
  OPENAI_API_KEY        2026-03-01    2 min ago
  TELEGRAM_BOT_TOKEN    2026-03-01    5 min ago
  ANTHROPIC_API_KEY     2026-03-05    1 hour ago
  DISCORD_BOT_TOKEN     2026-03-08    3 hours ago

Total: 4 secrets

View a Secret Value

openclaw secrets get OPENAI_API_KEY

By default, the value is partially masked: sk-****...****xyz

To view the full value:

openclaw secrets get OPENAI_API_KEY --show

Delete a Secret

openclaw secrets delete OLD_API_KEY

Check if a Secret Exists

openclaw secrets has OPENAI_API_KEY
# Exit code 0 = exists, 1 = does not exist

Bulk Operations

Import from a .env File

openclaw secrets import .env

Import from Environment Variables

openclaw secrets import-env OPENAI_API_KEY
openclaw secrets import-env --pattern "OPENCLAW_*"

Export (Encrypted)

openclaw secrets export --output secrets-backup.enc
openclaw secrets export --output secrets-backup.enc --password

Import an Encrypted Backup

openclaw secrets import --input secrets-backup.enc

Secret Verification

Verify whether a secret is valid:

openclaw secrets verify OPENAI_API_KEY

Verifying OPENAI_API_KEY...
  ✓ Format: valid OpenAI API key
  ✓ Authentication: successful
  ✓ Permissions: full access
  ✓ Organization: your-org

Verify all secrets at once:

openclaw secrets verify --all

Secret Rotation

# Set a new key (automatically overwrites the old value)
openclaw secrets set OPENAI_API_KEY "sk-new-key"

# Restart to apply the new key
openclaw restart

Set a rotation reminder:

openclaw secrets set-reminder OPENAI_API_KEY --days 90

Referencing in Configuration

Use double curly brace syntax to reference secrets in configuration files:

{
  "providers": {
    "openai": {
      "apiKey": "{{OPENAI_API_KEY}}"
    }
  }
}

See which secrets are referenced by the configuration:

openclaw secrets usage

Secret Usage:
  OPENAI_API_KEY       → providers.openai.apiKey
  TELEGRAM_BOT_TOKEN   → channels.telegram.token
  ANTHROPIC_API_KEY    → providers.anthropic.apiKey (unused)
  DISCORD_BOT_TOKEN    → channels.discord.token

Security Audit

openclaw secrets audit

Security Audit:
  ⚠ OPENAI_API_KEY: not rotated in 95 days (recommend: 90)
  ✓ TELEGRAM_BOT_TOKEN: rotated 15 days ago
  ⚠ ANTHROPIC_API_KEY: set but not used in config
  ✓ Secrets file permissions: 600 (correct)
  ✓ Encryption: AES-256 (current)

Summary

openclaw secrets is a critical tool for keeping sensitive information secure. Making a habit of managing all keys through the secrets command and regularly performing security audits and key rotations is foundational to maintaining OpenClaw service security.

OpenClaw is a free, open-source personal AI assistant that supports WhatsApp, Telegram, Discord, and many more platforms
More Tutorials Download Skills

Related Tutorials

Secrets Management In-Depth Guide
Gateway Authentication Mechanisms Explained
Health Check API Explained