← Back to Docs

OpenClaw Integration

Secure replacement for keys.json in OpenClaw agents

The Problem

OpenClaw agents typically store credentials in a keys.json file:

keys.json (Insecure)

{
  "openai": "sk-proj-xxx",
  "anthropic": "sk-ant-xxx",
  "serpapi": "xxx"
}

Plaintext credentials on disk!

AVP (Secure)

vault.enc (AES-256)
├── openai_key
├── anthropic_key
└── serpapi_key

Encrypted with password

Security Risk: Plaintext keys.json files are easily compromised through:

Installation

pip install openclaw-avp

Quick Start

from openclaw_avp import SecureKeyManager

# Create secure key manager (replaces keys.json)
keys = SecureKeyManager(
    vault_path="~/.avp/openclaw.enc",
    password="your-secure-password"
)

# Store keys (do this once)
keys.set("openai", "sk-proj-...")
keys.set("anthropic", "sk-ant-...")
keys.set("serpapi", "...")

# Use in your agent
from openclaw import Agent

agent = Agent(
    name="my-agent",
    llm_api_key=keys.get("openai"),
    tools_config={
        "search": {"api_key": keys.get("serpapi")}
    }
)

Migration from keys.json

Automatic Migration

from openclaw_avp import migrate_from_keys_json

# One-time migration
migrate_from_keys_json(
    keys_json_path="./keys.json",
    vault_path="~/.avp/openclaw.enc",
    password="your-password"
)

# Output:
# Migrated 3 keys:
#   - openai
#   - anthropic
#   - serpapi
#
# You can now delete keys.json

Manual Migration

# Using CLI
avp import keys.json --format json --workspace openclaw

# Then update your agent code to use AVP

SecureKeyManager API

from openclaw_avp import SecureKeyManager, Backend

# File backend (default, encrypted)
keys = SecureKeyManager(
    vault_path="~/.avp/openclaw.enc",
    password="password"
)

# Keychain backend (OS-native)
keys = SecureKeyManager(backend=Backend.KEYCHAIN)

# Memory backend (testing only)
keys = SecureKeyManager(backend=Backend.MEMORY)

Methods

# Store a key
keys.set("openai", "sk-proj-...")

# Retrieve a key
api_key = keys.get("openai")

# Check if key exists
if keys.has("openai"):
    print("OpenAI key configured")

# List all keys
all_keys = keys.list()
# ["openai", "anthropic", "serpapi"]

# Delete a key
keys.delete("old_key")

# Rotate a key
keys.rotate("openai", "sk-proj-new-...")

Drop-in Replacement

Update your existing OpenClaw agent with minimal changes:

Before (keys.json)

import json

with open("keys.json") as f:
    keys = json.load(f)

agent = Agent(
    llm_api_key=keys["openai"],
    ...
)

After (AVP)

from openclaw_avp import SecureKeyManager

keys = SecureKeyManager(
    "~/.avp/vault.enc", "pass"
)

agent = Agent(
    llm_api_key=keys.get("openai"),
    ...
)

Environment Variable Bridge

If your agent reads from environment variables, use the bridge mode:

from openclaw_avp import SecureKeyManager

keys = SecureKeyManager(
    vault_path="~/.avp/openclaw.enc",
    password="password"
)

# Load keys into environment variables
keys.load_to_env([
    "OPENAI_API_KEY",
    "ANTHROPIC_API_KEY",
    "SERPAPI_API_KEY"
])

# Now your agent can use os.getenv() as before
import os
api_key = os.getenv("OPENAI_API_KEY")  # Works!
Note: Environment variables are still in memory, but this approach avoids plaintext files on disk. For maximum security, use keys.get() directly.

Complete Example

"""OpenClaw agent with secure credential management."""

from openclaw import Agent, Tool
from openclaw_avp import SecureKeyManager
import os

def create_secure_agent():
    # Initialize secure key manager
    keys = SecureKeyManager(
        vault_path=os.path.expanduser("~/.avp/openclaw.enc"),
        password=os.getenv("AVP_PASSWORD")  # Password from env, not keys!
    )

    # Create agent with secure credentials
    agent = Agent(
        name="research-assistant",
        description="An AI research assistant",
        llm_provider="openai",
        llm_api_key=keys.get("openai"),
        llm_model="gpt-4",
        tools=[
            Tool(
                name="web_search",
                description="Search the web",
                config={"api_key": keys.get("serpapi")}
            ),
            Tool(
                name="arxiv",
                description="Search academic papers",
                config={"api_key": keys.get("arxiv")}
            )
        ]
    )

    return agent

def main():
    agent = create_secure_agent()

    # Run agent
    result = agent.run("Find recent papers on transformer architectures")
    print(result)

if __name__ == "__main__":
    main()

Setup Script

Create a setup script for first-time configuration:

#!/usr/bin/env python3
"""First-time setup for OpenClaw with AVP."""

from openclaw_avp import SecureKeyManager
import getpass
import os

def setup():
    print("OpenClaw Secure Credential Setup")
    print("=" * 40)

    vault_path = os.path.expanduser("~/.avp/openclaw.enc")

    # Get vault password
    password = getpass.getpass("Create vault password: ")
    confirm = getpass.getpass("Confirm password: ")

    if password != confirm:
        print("Passwords don't match!")
        return

    # Initialize key manager
    keys = SecureKeyManager(vault_path=vault_path, password=password)

    # Collect API keys
    print("\nEnter your API keys (press Enter to skip):\n")

    openai = getpass.getpass("OpenAI API key: ")
    if openai:
        keys.set("openai", openai)
        print("  ✓ OpenAI key stored")

    anthropic = getpass.getpass("Anthropic API key: ")
    if anthropic:
        keys.set("anthropic", anthropic)
        print("  ✓ Anthropic key stored")

    serpapi = getpass.getpass("SerpAPI key: ")
    if serpapi:
        keys.set("serpapi", serpapi)
        print("  ✓ SerpAPI key stored")

    print(f"\n✓ Credentials stored in {vault_path}")
    print("\nTo use in your agent:")
    print(f'  keys = SecureKeyManager("{vault_path}", password)')
    print('  api_key = keys.get("openai")')

    keys.close()

if __name__ == "__main__":
    setup()

Best Practices