Secrets Management

Store API keys and tokens securely with SecretRef and vaults

OpenClaw supports external secrets via SecretRef—point config values at secrets managed by your vault instead of hardcoding API keys or tokens. Use openclaw secrets for local secret management. SecretRef coverage expanded to 64+ targets in 2026.2.

SecretRef

Reference secrets from external vaults (HashiCorp Vault, Doppler, etc.) in your config. Example for gateway auth:

Gateway token from vault
{
  "gateway": {
    "auth": {
      "mode": "token",
      "token": { "secretRef": "gateway/token" }
    }
  }
}

Channel tokens, API keys, and gateway auth can all use SecretRef. Supported targets include provider API keys, Discord/Telegram tokens, and gateway password.

openclaw secrets

The CLI provides local secret management:

  • openclaw secrets list — List configured secrets
  • openclaw secrets set <key> — Store a secret (prompts for value)
  • openclaw secrets export --unmasked — Export for headless/CI (use with care)

Secrets are stored in your OpenClaw home directory, encrypted when supported by the platform.

Vault Integration

Configure your vault provider so OpenClaw can resolve secretRef keys. Supported backends include HashiCorp Vault and Doppler. Set VAULT_ADDR, DOPPLER_TOKEN, or provider-specific env vars before starting the gateway.

See the official docs for vault provider setup and the full list of SecretRef targets.

Rotation and audit

  1. Rotate channel bot tokens after public-room tests.
  2. Re-run openclaw onboard after provider key leaks.
  3. Restart gateway and test one message per channel.

See hardening checklist.

Anti-patterns

Avoid checking .env into git, sharing tokens in Discord, or reusing the same bot token across staging and prod. Use openclaw secrets or vault refs per environment.

Related