Skip to content
nacre.sh
All posts
Security

OpenClaw API Key Security: Best Practices 2026

nacre.sh TeamMay 5, 20267 min read

Protect your LLM and service API keys in OpenClaw. Best practices for storage, rotation, spending limits, and what nacre.sh does automatically.

openclaw api key securityapi key management aiopenclaw credentialsllm api key protection

Your OpenClaw instance holds multiple sensitive API keys: LLM providers (Anthropic, OpenAI), communication services (Telegram bot token, Slack token), and third-party integrations. A leaked key can mean unexpected bills, data access, or service abuse. Here's how to protect them.

The Risks of Poor API Key Management

Financial exposure: A leaked OpenAI or Anthropic key can be used by attackers to run expensive queries on your account. Bills of thousands of dollars in hours have been documented.

Data access: Service API keys (Gmail, Slack, etc.) provide access to your data. A leaked Slack token could expose your entire workspace.

Reputation damage: A leaked GitHub token could allow code modification under your name.

OpenClaw's Secrets System

Never put API keys directly in openclaw.json. Use the secrets system:

# Store a secret
openclaw secrets set ANTHROPIC_API_KEY sk-ant-...

# Reference in config
{
  "llm": {
    "provider": "anthropic",
    "api_key": "${ANTHROPIC_API_KEY}"
  }
}

Secrets are stored encrypted separately from the config file.

Environment Variables

For self-hosted deployments, use environment variables:

export OPENCLAW_ANTHROPIC_KEY=sk-ant-...
export OPENCLAW_OPENAI_KEY=sk-...

On Linux, set these in systemd unit files with EnvironmentFile pointing to a 600-permission file.

Spending Limits (Critical)

Set spending limits on every LLM provider account immediately.

  • Anthropic: Monthly budget alerts and hard limits in Account Settings
  • OpenAI: Monthly spending limits in API settings
  • OpenRouter: Per-key and account limits

A $50/month limit means a leaked key can't cause catastrophic financial damage.

Rotation Schedule

Rotate API keys regularly:

  • LLM API keys: Monthly or on any suspicion of compromise
  • Communication keys (Telegram, Discord): Quarterly
  • Integration keys (Gmail, GitHub): Quarterly

nacre.sh Key Management

nacre.sh manages API keys with:

  • AES-256 encrypted storage, keys never in plaintext
  • Automatic rotation prompts
  • Access logging (who/when keys were accessed)
  • Revocation if suspicious usage detected

You add keys once during setup. nacre.sh handles the rest.

Frequently Asked Questions

What if I accidentally committed a key to GitHub?

Revoke it immediately — treat it as compromised. Then remove it from git history with BFG Repo-Cleaner. Set up pre-commit hooks to prevent future key leaks (git-secrets tool).

Does nacre.sh see my API keys?

nacre.sh stores keys encrypted. The infrastructure can use the keys (to make API calls on your behalf) but keys are not visible in plaintext to nacre.sh employees.

How do I know if my key was leaked?

Monitor API provider usage dashboards. Unexpected usage spikes, especially from unfamiliar IP ranges, indicate potential key compromise. All major providers offer usage alerts.

nacre.sh

Run OpenClaw without the server headaches

Dedicated instance, automatic TLS, nightly backups, and 290+ LLM integrations. Live in under 90 seconds from $12/month.

Deploy your agent →

Related posts

SecurityOpenClaw Firewall Configuration for SecurityConfigure a proper firewall for your self-hosted OpenClaw deployment. UFW rules, Docker network isolation, and outbound restrictions explained.7 min readSecuritySecuring openclaw.json: Configuration File Best PracticesBest practices for securing your OpenClaw configuration file. Permissions, secrets management, version control safety, and encryption options.6 min readSecurityOpenClaw and AI Regulations: China, EU, and Global RulesWhat AI regulations affect OpenClaw users in 2026? China's AI assistant rules, EU AI Act, US executive orders, and what they mean for self-hosted AI agents.8 min read