Expanded SecretRef support across 64 credential targets — runtime collectors, openclaw secrets planning/apply/audit flows.
Expanded Secrets & SecretRef
v2026.3.2 significantly expands SecretRef support — keeping credentials out of your config files and in secure stores.
Coverage
- 64 credential targets — API keys, OAuth tokens, bot tokens, and more can now use ref-only profiles
- Runtime collectors — Credentials resolved at runtime from env vars, files, or external vaults
- openclaw secrets — Full workflow:
audit,configure,apply,reload
Workflow
openclaw secrets audit # Scan config for inline credentials
openclaw secrets configure # Set up store connection
openclaw secrets apply # Rewrite config to use refs
openclaw secrets reload # Refresh without restart
Ref format
{
"apiKey": { "$ref": "env:ANTHROPIC_API_KEY" }
}
Your config stays safe to share and commit. Credentials live in the store.