This is the canonical policy for secrets in OpenClaw/OpenClawBrain workspaces.
tokenFile paths, and local file locations.~/.openclaw/credentials/env/<project>.env and set chmod 600..env as a symlink to that centralized file so existing app/runtime loading still works.~/.openclaw/credentials/*.token and set chmod 600.Safe setup (no value printing):
mkdir -p ~/.openclaw/credentials/env ~/.openclaw/credentials
repo_dir=~/path/to/repo
project_env=~/.openclaw/credentials/env/<project>.env
# Backup and move an existing local .env into centralized storage.
if [ -f "$repo_dir/.env" ] && [ ! -L "$repo_dir/.env" ]; then
cp "$repo_dir/.env" "$repo_dir/.env.backup.$(date +%Y%m%d%H%M%S)"
mv "$repo_dir/.env" "$project_env"
fi
chmod 600 "$project_env"
[ -L "$repo_dir/.env" ] && rm "$repo_dir/.env"
ln -s "$project_env" "$repo_dir/.env"
chmod 600 ~/.openclaw/credentials/*.token 2>/dev/null || true
Each registry entry should track:
service: provider or system (for example, Mapbox).capability: what the secret enables.required_keys: required env var names.storage_pointer: local pointer (env file path, tokenFile, or equivalent).verify: boolean check only (no value output).notes: scope, rotation, and handling constraints.service: Mapboxcapability: maps, geocoding, tiles, routingrequired_keys: VITE_MAPBOX_TOKEN, MAPBOX_API_KEY, MAPBOX_SECRET_TOKENstorage_pointer: .env* key location or operator token fileverify: key assignment is non-empty (true/false)notes: VITE_MAPBOX_TOKEN is public-facing; keep secret tokens server-sideservice: Perplexitycapability: web-grounded LLM searchrequired_keys: PPLX_API_KEYstorage_pointer: .env* key locationverify: key assignment is non-empty (true/false)notes: rotate on exposure or permission changesservice: Polygoncapability: market data APIsrequired_keys: POLYGON_API_KEYstorage_pointer: .env* key locationverify: key assignment is non-empty (true/false)notes: scope to required market productsservice: NewsAPIcapability: top-headlines and article searchrequired_keys: NEWSAPI_KEYstorage_pointer: .env* key locationverify: key assignment is non-empty (true/false)notes: monitor plan limits and rotate when neededservice: OpenAIcapability: embeddings + LLM callsrequired_keys: OPENAI_API_KEYstorage_pointer: .env* key locationverify: key assignment is non-empty (true/false)notes: used by the broader OpenClaw runtime if configured for OpenAI-based agent or tool paths. OpenClawBrain itself does not require this key — its default stack uses local BGE-large embeddings and a local Ollama teacher.service: SEC/EDGARcapability: public filings accessrequired_keys: nonestorage_pointer: not applicableverify: true (no key required)notes: follow fair-access/User-Agent guidelinesservice: ClinicalTrials.govcapability: public clinical-trial registry queriesrequired_keys: nonestorage_pointer: not applicableverify: true (no key required)notes: no key needed for standard public endpointsservice: FDA open datacapability: OpenFDA public datasets and search endpointsrequired_keys: nonestorage_pointer: not applicableverify: true (no key required)notes: no key needed for standard public endpointsRun pointer harvest and leak-audit jobs using the current OpenClawBrain TypeScript tooling for your workspace.
Required behavior:
~/.openclaw/credentials by default unless explicitly disabled