ipeaky — Secure API Key Management
Keys are stored directly in OpenClaw's native config (openclaw.json) via gateway config.patch.
This means every skill that declares primaryEnv automatically picks up the key — zero manual wiring.
Key Map — Service to Config Path
| Service | Config Path | primaryEnv |
|---|
| OpenAI | INLINECODE3 | OPENAIAPIKEY |
| ElevenLabs |
skills.entries.sag.apiKey | ELEVENLABS
APIKEY |
| Brave Search |
tools.web.search.apiKey | BRAVE
APIKEY |
| Gemini |
skills.entries.nano-banana-pro.apiKey | GEMINI
APIKEY |
| Google Places |
skills.entries.goplaces.apiKey | GOOGLE
PLACESAPI_KEY |
| Notion |
skills.entries.notion.apiKey | NOTION
APIKEY |
| ElevenLabs Talk |
talk.apiKey | (direct) |
| Custom skill |
skills.entries.<skill-name>.apiKey | (per skill) |
| Custom env |
skills.entries.<skill-name>.env.<VAR_NAME> | (arbitrary) |
Important: Some keys serve multiple skills. OpenAI key is used by openai-whisper-api,
openai-image-gen, etc. ElevenLabs key is used by sag and talk. When storing, set ALL
relevant config paths for that key.
Storing Keys (v4 — Single Paste, Zero Exposure) ⭐ PREFERRED
One popup. Paste everything. Regex parses. One save. One restart. Keys never touch chat or network.
CODEBLOCK0
Examples:
�CODEBLOCK1
The script:
- 1. Shows ONE macOS popup — user pastes all keys in any format
- Local Python regex parses key-value pairs (no AI, no network)
- Confirmation popup: "Found 3 keys: X, Y, Z — Store all?"
- ONE
openclaw config set batch → ONE gateway restart - Keys never appear in chat, logs, or shell history
Supported input formats:
- -
key_name: value or �INLINECODE18 - INLINECODE19
- Bare tokens on separate lines (auto-labeled in order)
- Mixed formats in one paste
Storing a Key (v3 — Zero Exposure)
Use the v3 script. The agent NEVER sees the key. The script handles popup + storage directly.
CODEBLOCK2
Examples:
�CODEBLOCK3
The script:
- 1. Shows macOS popup (hidden input)
- Calls
openclaw config set for each path - Restarts gateway
- Returns ONLY "OK" or "ERROR" — key never appears in agent output or chat history
Legacy Method (v2 — agent sees key, NOT recommended)
Step 1: Launch the secure input popup. On macOS:
�CODEBLOCK4
Step 2: Once you have the key value (from stdout of the script), store it via gateway config.patch.
Example for OpenAI:
�CODEBLOCK5
Example for ElevenLabs:
�CODEBLOCK6
Example for Brave Search:
�CODEBLOCK7
Critical rules:
- - NEVER echo, print, or include any key value in chat messages or tool call arguments
- NEVER include key values in the
reason field of config.patch - If a user pastes a key directly in chat, store it immediately and tell them to delete the message
- The secureinputmac.sh script outputs the key to stdout — capture it in a variable, use it in config.patch, never log it
Listing Keys
Read from the live config using gateway config.get. Show masked values only (first 4 chars + ).
Parse the config JSON and find all apiKey fields, display their config path and masked value.
Testing a Key
Test endpoints:
- - OpenAI: �INLINECODE24
- ElevenLabs: �INLINECODE25
- Anthropic: �INLINECODE26
- Brave Search: �INLINECODE27
Source the key from the config (via gateway config.get), test it, report result. Never show the key.
Deleting a Key
Use gateway config.patch to set the key value to an empty string or remove the entry.
💎 Paid Tier (Coming Soon)
ipeaky core is free forever. A paid tier is in development with premium features:
- - Team key sharing — Role-based access across team members
- Key rotation reminders — Automated expiry alerts
- Usage analytics — Track key usage across skills
- Breach monitoring — Leak database notifications
- Cross-platform — Linux & Windows secure input
- Backup & sync — Encrypted cloud backup
See paid_tier/README-paid.md for details. Billing is powered by Stripe.
CODEBLOCK8
Security Guarantees
- - Keys go: secure popup → stdout pipe → config.patch → openclaw.json (never chat)
- Keys are automatically available to all skills via OpenClaw's native env injection
- No separate credential files to manage
- No manual
source commands needed - config.patch triggers a gateway reload so keys take effect immediately
ipeaky — 安全API密钥管理
密钥通过gateway config.patch直接存储在OpenClaw的原生配置(openclaw.json)中。
这意味着每个声明了primaryEnv的技能都会自动获取密钥——无需手动配置。
密钥映射 — 服务到配置路径
| 服务 | 配置路径 | primaryEnv |
|---|
| OpenAI | skills.entries.openai-whisper-api.apiKey | OPENAIAPIKEY |
| ElevenLabs |
skills.entries.sag.apiKey | ELEVENLABS
APIKEY |
| Brave Search | tools.web.search.apiKey | BRAVE
APIKEY |
| Gemini | skills.entries.nano-banana-pro.apiKey | GEMINI
APIKEY |
| Google Places | skills.entries.goplaces.apiKey | GOOGLE
PLACESAPI_KEY |
| Notion | skills.entries.notion.apiKey | NOTION
APIKEY |
| ElevenLabs Talk | talk.apiKey | (直接) |
| 自定义技能 | skills.entries.<技能名称>.apiKey | (按技能) |
| 自定义环境变量 | skills.entries.<技能名称>.env.<变量名> | (任意) |
重要提示: 某些密钥服务于多个技能。OpenAI密钥被openai-whisper-api、
openai-image-gen等使用。ElevenLabs密钥被sag和talk使用。存储时,请设置该密钥的
所有相关配置路径。
存储密钥(v4 — 单次粘贴,零暴露)⭐ 推荐方式
一个弹窗。粘贴所有内容。正则解析。一次保存。一次重启。密钥永不触及聊天或网络。
bash
bash {baseDir}/scripts/storekeyv4.sh <服务名称> <配置前缀>
示例:
bash
X API密钥(一次粘贴消费者密钥+密钥+令牌)
bash {baseDir}/scripts/store
keyv4.sh X API skills.entries.x-twitter.env
任何服务 — 用户以任意格式粘贴:
consumer key: abc123
secret: xyz789
bearer token: AAAA...
该脚本:
- 1. 显示一个macOS弹窗 — 用户以任意格式粘贴所有密钥
- 本地Python正则解析键值对(无AI,无网络)
- 确认弹窗:找到3个密钥:X, Y, Z — 全部存储?
- 一次openclaw config set批量操作 → 一次网关重启
- 密钥永不显示在聊天、日志或shell历史中
支持的输入格式:
- - keyname: value 或 keyname = value
- KEY_NAME=value
- 单独行上的裸令牌(按顺序自动标记)
- 一次粘贴中的混合格式
存储密钥(v3 — 零暴露)
使用v3脚本。 代理永远不会看到密钥。脚本直接处理弹窗+存储。
bash
bash {baseDir}/scripts/storekeyv3.sh <服务名称> <配置路径1> [<配置路径2> ...]
示例:
bash
Brave Search
bash {baseDir}/scripts/store
keyv3.sh Brave Search tools.web.search.apiKey
OpenAI(多个路径)
bash {baseDir}/scripts/store
keyv3.sh OpenAI skills.entries.openai-whisper-api.apiKey
ElevenLabs(sag + talk)
bash {baseDir}/scripts/store
keyv3.sh ElevenLabs skills.entries.sag.apiKey talk.apiKey
该脚本:
- 1. 显示macOS弹窗(隐藏输入)
- 为每个路径调用openclaw config set
- 重启网关
- 仅返回OK或ERROR — 密钥永不显示在代理输出或聊天历史中
传统方法(v2 — 代理看到密钥,不推荐)
步骤1: 启动安全输入弹窗。在macOS上:
bash
bash {baseDir}/scripts/secureinputmac.sh KEY_NAME
步骤2: 获取密钥值(从脚本的标准输出)后,通过gateway config.patch存储。
OpenAI示例:
gateway config.patch with raw: {skills:{entries:{openai-whisper-api:{apiKey:THEKEY},openai-image-gen:{apiKey:THEKEY}}}}
ElevenLabs示例:
gateway config.patch with raw: {skills:{entries:{sag:{apiKey:THEKEY}}},talk:{apiKey:THEKEY}}
Brave Search示例:
gateway config.patch with raw: {tools:{web:{search:{apiKey:THE_KEY}}}}
关键规则:
- - 切勿在聊天消息或工具调用参数中回显、打印或包含任何密钥值
- 切勿在config.patch的reason字段中包含密钥值
- 如果用户直接在聊天中粘贴密钥,立即存储并告知用户删除该消息
- secureinputmac.sh脚本将密钥输出到标准输出 — 捕获到变量中,在config.patch中使用,切勿记录
列出密钥
使用gateway config.get从实时配置中读取。仅显示掩码值(前4个字符+)。
解析配置JSON并查找所有apiKey字段,显示其配置路径和掩码值。
测试密钥
测试端点:
- - OpenAI:curl -s -H Authorization: Bearer $KEY https://api.openai.com/v1/models | head
- ElevenLabs:curl -s -H xi-api-key: $KEY https://api.elevenlabs.io/v1/user
- Anthropic:curl -s -H x-api-key: $KEY -H anthropic-version: 2023-06-01 https://api.anthropic.com/v1/messages -d {model:claude-3-haiku-20240307,max_tokens:1,messages:[{role:user,content:hi}]}
- Brave Search:curl -s -H X-Subscription-Token: $KEY https://api.search.brave.com/res/v1/web/search?q=test&count=1
从配置中获取密钥(通过gateway config.get),测试它,报告结果。切勿显示密钥。
删除密钥
使用gateway config.patch将密钥值设置为空字符串或删除该条目。
💎 付费层级(即将推出)
ipeaky核心功能永久免费。付费层级正在开发中,提供高级功能:
- - 团队密钥共享 — 团队成员间的基于角色的访问
- 密钥轮换提醒 — 自动过期提醒
- 使用分析 — 跨技能跟踪密钥使用情况
- 泄露监控 — 泄露数据库通知
- 跨平台 — Linux和Windows安全输入
- 备份与同步 — 加密云备份
详情请参见paid_tier/README-paid.md。计费由Stripe提供支持。
bash
设置Stripe集成(使用ipeaky存储自己的密钥!)
bash {baseDir}/paid_tier/stripe-setup.sh
创建结账会话
bash {baseDir}/paid
tier/stripe-checkout.sh --price priceXXXXX --mode subscription
安全保障
- - 密钥流程:安全弹窗 → 标准输出管道 → config.patch → openclaw.json(永不进入聊天)
- 通过OpenClaw的原生环境注入,密钥自动对所有技能可用
- 无需管理单独的凭证文件
- 无需手动source命令
- config.patch触发网关重新加载,密钥立即生效
