Rate This Document
Findability
Accuracy
Completeness
Readability

Manage API Keys Throughout the Lifecycle, Prohibit Plaintext Storage, and Rotate Keys Periodically

By default, OpenClaw stores API keys in plaintext within its configuration files, which poses a critical security risk. If the system is compromised, attackers can directly obtain your commercial service keys (such as Anthropic or OpenAI), potentially leading to unexpected charges or data leaks. Storing API keys in plaintext is strictly prohibited. If any associated instances have been exposed to the public network, you must immediately regenerate or replace those credentials. Adopt an encryption solution to avoid storing sensitive data in plaintext (see Step 1 in 2.2.2).

In addition, ensure that configuration files, memory, and logs do not contain plaintext passwords or any other sensitive information.