What You Need to Know
Storing API keys directly in openclaw.json has always been the quick-start approach, but it creates real security risks: the config file is readable by the assistant, can be accidentally committed to git, and is visible in process listings. External secrets solve this by referencing credentials from a secure store instead of inlining them.
openclaw secrets audit scans your current configuration for inline credentials and reports which keys should be externalized. It flags API keys, OAuth tokens, bot tokens, and any string that matches common secret patterns. Run this as a first step to understand your current exposure.
openclaw secrets configure sets up the connection to your secret store. Supported backends include environment variables, file-based stores, and external vault services. You define named auth profiles that reference where each credential lives rather than what it contains.
openclaw secrets apply rewrites your config to use ref-only profiles. Where you previously had "apiKey": "sk-abc123...", you now have "apiKey": { "$ref": "env:ANTHROPIC_API_KEY" }. The actual value is resolved at runtime from the configured store. Your config file becomes safe to share, commit, and inspect.
openclaw secrets reload refreshes credentials from the store without restarting the gateway. This is essential for rotating keys โ update the secret in your store, run reload, and the gateway picks up the new value with zero downtime. Combined with audit, this creates a continuous security hygiene loop: audit exposure, externalize secrets, rotate regularly, and reload without disruption.