🦞ClawTips
← Back to library

Secrets 外置化落地:用 openclaw secrets 替换明文配置

问题/场景:团队把 API Key 直接写在 openclaw.json,存在泄露与轮换困难。前置条件:已升级到 v2026.2.26+ 且拥有可用密钥存储(ENV/文件/exec)。实施步骤:1) `openclaw secrets audit` 盘点明文密钥;2) `openclaw secrets configure` 设定 provider;3) `openclaw secrets apply` 执行迁移;4) `openclaw secrets reload` 热加载;5) 做一次全链路会话回归。关键命令:`openclaw secrets audit|configure|apply|reload`。验证方法:配置文件不再含明文密钥,模型调用正常。风险与边界:迁移时若 provider 路径写错会导致鉴权失败,需先在测试环境验证。来源归因:GitHub v2026.2.26 release + 官方 secrets 文档。

GITHUBDiscovered 2026-03-01Author @openclaw
Prerequisites
  • OpenClaw is upgraded to v2026.2.26 or newer.
  • You have a secret backend (env/file/exec provider) and rollback backup.
Steps
  1. Run `openclaw secrets audit` and list all plaintext credentials in config files.
  2. Use `openclaw secrets configure` to bind the target secret provider and reference paths.
  3. Apply migration with `openclaw secrets apply` and confirm config has only references.
  4. Reload runtime using `openclaw secrets reload` (or gateway restart if required).
  5. Run message/model smoke tests and verify no auth regression.
Commands
openclaw secrets audit
openclaw secrets configure
openclaw secrets apply
openclaw secrets reload
Verify

No plaintext keys remain in config and at least one model call succeeds after reload.

Caveats
  • If secret path mapping is wrong, startup may pass but runtime calls can fail(需验证).
  • Keep emergency rollback snapshot before applying migration.
Source attribution

This tip is aggregated from community/public sources and preserved with attribution.

Open original source ↗
Visit original post