Secrets Management

OpenClaw supports external secrets via SecretRef—point config values at secrets managed by your vault instead of hardcoding API keys or tokens. Use openclaw secrets for local secret management. SecretRef coverage expanded to 64+ targets in 2026.2.

Reference secrets from external vaults (HashiCorp Vault, Doppler, etc.) in your config. Example for gateway auth:

{
  "gateway": {
    "auth": {
      "mode": "token",
      "token": { "secretRef": "gateway/token" }
    }
  }
}

Channel tokens, API keys, and gateway auth can all use SecretRef. Supported targets include provider API keys, Discord/Telegram tokens, and gateway password.

The CLI provides local secret management:

• openclaw secrets list — List configured secrets
• openclaw secrets set <key> — Store a secret (prompts for value)
• openclaw secrets export --unmasked — Export for headless/CI (use with care)

Secrets are stored in your OpenClaw home directory, encrypted when supported by the platform.

Configure your vault provider so OpenClaw can resolve secretRef keys. Supported backends include HashiCorp Vault and Doppler. Set VAULT_ADDR, DOPPLER_TOKEN, or provider-specific env vars before starting the gateway.

See the official docs for vault provider setup and the full list of SecretRef targets.