DEV Community

The Seventeen
The Seventeen

Posted on

How to Make Your OpenClaw Agent Call Any API Without Exposing Your Keys

#agents #api #security #openclaw

Your OpenClaw agent is smart. It can browse the web, write code, manage files. But the moment you need it to call Stripe, or hit the GitHub API, or query a database, you're stuck pasting API keys into places they don't belong.

This tutorial shows you how to set up AgentSecrets with OpenClaw so your agent can make authenticated API calls to any service, with your keys locked in your OS keychain where they belong.

No .env files. No plaintext. No key values in your chat logs.

Time to set up: ~2 minutes.

Prerequisites

  • OpenClaw installed and running
  • One of: Python, Node.js, Go, or Homebrew (for installation)
  • At least one API key you want to use (Stripe, OpenAI, GitHub, anything)

Step 1: Install AgentSecrets

AgentSecrets is a single CLI binary. Choose your preferred way to get it:

Option A: Homebrew (macOS/Linux) 

brew install The-17/tap/agentsecrets
Enter fullscreen mode Exit fullscreen mode

Option B: npm/npx (Node.js) 

# Run without installing
npx @the-17/agentsecrets init

# Or install globally
npm install -g @the-17/agentsecrets
Enter fullscreen mode Exit fullscreen mode

Option C: pip (Python) 

pip install agentsecrets
Enter fullscreen mode Exit fullscreen mode

Option D: Go (From source) 

go install github.com/The-17/agentsecrets/cmd/agentsecrets@latest
Enter fullscreen mode Exit fullscreen mode

Step 2: Create Your Account 

agentsecrets init
Enter fullscreen mode Exit fullscreen mode

This is interactive. You'll create a free account (email + password) and your encryption keys will be generated and stored in your OS keychain automatically.

What just happened: An X25519 keypair was generated on your machine. The private key went into your OS keychain (macOS Keychain, Windows Credential Manager, or Linux Secret Service). The public key was sent to the server. Your keys are encrypted client-side — the server only stores encrypted blobs it can't read.

Step 3: Store Your API Keys 

# Store whatever keys you use
agentsecrets secrets set STRIPE_KEY=sk_test_51Hxxxxx
agentsecrets secrets set OPENAI_KEY=sk-proj-xxxxxxx
agentsecrets secrets set GITHUB_TOKEN=ghp_xxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

Each key is:

  1. Encrypted with AES-256-GCM using your workspace key
  2. Uploaded to the cloud (encrypted — server can't read them)
  3. Stored in your OS keychain for instant local access

Now delete those keys from ~/.openclaw/.env if they're there. They're safe in your keychain now.

Step 4: Install the OpenClaw Skill

Option A: From ClawHub (when available) 

openclaw skill install agentsecrets
Enter fullscreen mode Exit fullscreen mode

Option B: Manual install

Copy the skill directory into your OpenClaw skills folder:

cp -r /path/to/agentsecrets/integrations/openclaw ~/.openclaw/skills/agentsecrets
Enter fullscreen mode Exit fullscreen mode

Step 5: Use It

Now just talk to your OpenClaw agent naturally:

You: "Check my Stripe account balance"

The agent will:

  1. Run agentsecrets secrets list → sees STRIPE_KEY is available
  2. Run agentsecrets call --url https://api.stripe.com/v1/balance --bearer STRIPE_KEY
  3. Return the balance — without ever seeing sk_test_51Hxxxxx

Real Examples

Bearer Token APIs (Stripe, OpenAI, GitHub)

Most modern APIs use bearer tokens. This is the simplest pattern:

# Check Stripe balance
agentsecrets call --url https://api.stripe.com/v1/balance --bearer STRIPE_KEY

# List OpenAI models  
agentsecrets call --url https://api.openai.com/v1/models --bearer OPENAI_KEY

# List your GitHub repos
agentsecrets call --url https://api.github.com/user/repos --bearer GITHUB_TOKEN
Enter fullscreen mode Exit fullscreen mode

Custom Header APIs

Some APIs use custom headers like X-API-Key:

agentsecrets secrets set SENDGRID_KEY=SG.xxxxxxxx

agentsecrets call \
  --url https://api.sendgrid.com/v3/mail/send \
  --method POST \
  --header X-Api-Key=SENDGRID_KEY \
  --body '{"personalizations":[{"to":[{"email":"test@example.com"}]}],"from":{"email":"you@domain.com"},"subject":"Test","content":[{"type":"text/plain","value":"Hello"}]}'
Enter fullscreen mode Exit fullscreen mode

Query Parameter APIs (Google Maps, Weather APIs)

Some older APIs pass the key as a URL parameter:

agentsecrets secrets set GOOGLE_MAPS_KEY=AIzaSyxxxxxxxxxx

agentsecrets call \
  --url "https://maps.googleapis.com/maps/api/geocode/json?address=Lagos+Nigeria" \
  --query key=GOOGLE_MAPS_KEY
Enter fullscreen mode Exit fullscreen mode

POST with Bearer + Body

Most write operations combine authentication with a request body:

# Create a Stripe charge
agentsecrets call \
  --url https://api.stripe.com/v1/charges \
  --method POST \
  --bearer STRIPE_KEY \
  --body '{"amount":1000,"currency":"usd","source":"tok_visa"}'
Enter fullscreen mode Exit fullscreen mode

Multiple Credentials in One Call

Some APIs need more than one credential (e.g., org ID + API key):

agentsecrets call \
  --url https://api.example.com/data \
  --bearer AUTH_TOKEN \
  --header X-Org-ID=ORG_SECRET
Enter fullscreen mode Exit fullscreen mode

Checking Your Audit Trail

Every call through AgentSecrets is logged. Key names only — never values:

# See last 5 calls
agentsecrets proxy logs --last 5

# Filter by a specific key
agentsecrets proxy logs --secret STRIPE_KEY
Enter fullscreen mode Exit fullscreen mode

Output looks like:

2026-02-26 01:15:00  STRIPE_KEY  GET  https://api.stripe.com/v1/balance  200  245ms
2026-02-26 01:16:30  OPENAI_KEY  POST https://api.openai.com/v1/chat/completions  200  1203ms
Enter fullscreen mode Exit fullscreen mode

You can audit exactly what your agent accessed, when, and where — without any key values being exposed.

Managing Your Keys 

# List all stored key names
agentsecrets secrets list

# Add a new key
agentsecrets secrets set NEW_KEY=value

# Remove a key
agentsecrets secrets delete OLD_KEY

# Pull all keys from cloud (new machine setup)
agentsecrets secrets pull

# Push local keys to cloud (backup/sync)
agentsecrets secrets push
Enter fullscreen mode Exit fullscreen mode

What's Happening Under the Hood

When you run agentsecrets call --bearer STRIPE_KEY:

  1. CLI loads your project config to get the project ID
  2. Looks up the key STRIPE_KEY in the OS keychain for that project
  3. Builds the HTTP request with Authorization: Bearer <actual_value>
  4. Forwards the request to the target URL
  5. Logs the call (key name, URL, status code — not the value)
  6. Returns the response body to stdout

The key value exists in memory only for the duration of the request. It never touches the filesystem, never enters agent memory, never appears in logs.

Troubleshooting

"Secret 'KEY_NAME' not found in keychain"

The key hasn't been stored yet. Run: agentsecrets secrets set KEY_NAME=value

"No project configured"

Run agentsecrets init first, or agentsecrets project use <name>

"agentsecrets: command not found"

Ensure you installed it correctly via Homebrew, npm, or pip. If using npx, try npx agentsecrets init.

Next Steps

Your keys are too valuable to leave in plaintext. Move them to your keychain. Let your agent do the work.

Top comments (0)