Vault Enhancements w/ UI
by @maverick-software
Vault-backed API Keys management for OpenClaw. Secure file-based secret storage with one-click migration from plaintext config, dynamic key discovery, vault...
clawhub install api-key-ui-tabπ About This Skill
name: apikeys-ui description: "Vault-backed API Keys management for OpenClaw. Secure file-based secret storage with one-click migration from plaintext config, dynamic key discovery, vault key selector for skills, manual secret creation, and plugin-registered settings tab." version: 3.0.0 author: OpenClaw Community metadata: {"openclaw":{"emoji":"π","requires":{"openclaw":">=2026.1.0"},"category":"settings"}}
Vault Enhancements w/ UI v3.0.0
Vault-backed API key management for the OpenClaw Control dashboard. Keys are stored in a secure file (~/.openclaw/secrets.json, mode 0600) and referenced via OpenClaw's built-in Secrets System. The AI agent never sees your keys.
Status: β Active
| Component | Status | |-----------|--------| | Vault File Storage | β Working | | Secret References (SecretRef) | β Working | | Dynamic Key Discovery | β Working | | One-Click Migration | β Working | | Plugin-Registered Tab | β Working | | Vault Status Banner | β Working | | Key Status Badges | β Working | | Vault-Only Keys Section | β Working | | Manual "+ Add Secret" Form | β Working | | Restart Notification Banner | β Working | | Skills Vault Key Selector | β Working | | Skills Inline Key Creation | β Working | | Auth Profiles Display | β Working |
Features
1. Vault-Backed Storage
Keys are stored in ~/.openclaw/secrets.json (file permissions 0600). When you save a key, the UI:
1. Writes the value to the vault file
2. Configures the file secret provider in openclaw.json (if not already present)
3. Replaces the plaintext config value with a SecretRef object
4. Shows a restart notification β user must restart gateway for changes to take effect
Config before migration:
{
"env": {
"OPENAI_API_KEY": "sk-proj-abc123..."
}
}
Config after migration:
{
"env": {
"OPENAI_API_KEY": { "source": "file", "provider": "default", "id": "/OPENAI_API_KEY" }
},
"secrets": {
"providers": {
"default": { "source": "file", "path": "~/.openclaw/secrets.json", "mode": "json" }
},
"defaults": { "file": "default" }
}
}
Vault file (~/.openclaw/secrets.json):
{
"OPENAI_API_KEY": "sk-proj-abc123..."
}
2. One-Click Migration
The "π Migrate to Vault" button appears when plaintext keys are detected. It:
openclaw.json for all plaintext API key valuesSecretRef objects in config3. Dynamic Key Discovery
The UI automatically scans the entire config for API keys β no hardcoded list.
Detection patterns: apiKey, api_key, token, secret, *_KEY, *_TOKEN, *_SECRET
Where it looks:
env.* β Environment variablesskills.entries.*.apiKey β Skill-specific keysmessages.tts.*.apiKey β TTS provider keysKnown providers get friendly names, descriptions, and "Get key β" links:
| Provider | Env Key |
|----------|---------|
| Anthropic | ANTHROPIC_API_KEY |
| OpenAI | OPENAI_API_KEY |
| Google / Gemini | GOOGLE_API_KEY / GEMINI_API_KEY |
| Brave Search | BRAVE_API_KEY |
| ElevenLabs | ELEVENLABS_API_KEY |
| Deepgram | DEEPGRAM_API_KEY |
| OpenRouter | OPENROUTER_API_KEY |
| Groq | GROQ_API_KEY |
| Fireworks | FIREWORKS_API_KEY |
| Mistral | MISTRAL_API_KEY |
| xAI (Grok) | XAI_API_KEY |
| Perplexity | PERPLEXITY_API_KEY |
| GitHub | GITHUB_TOKEN |
| Hume AI | HUME_API_KEY / HUME_SECRET_KEY |
4. Vault Status Banner
Top of the page shows:
5. Key Status Badges
Each key row shows:
6. Vault-Only Keys Section
Keys stored in the vault that aren't referenced by any config path are displayed in a dedicated "Vault-Only Keys" card. These are keys created manually or by skills that don't have a corresponding env/config entry. Each shows:
7. Manual "+ Add Secret" Form
The Vault tab header includes a "+ Add Secret" button that expands an inline form:
envEntry: false β no config entry created, no restart triggered8. Restart Notification Banner
When a vault write triggers a config change, a yellow warning banner appears: > β New secrets require a gateway restart to take effect. > [Restart Now]
The banner persists until the user clicks "Restart Now" or refreshes. This replaces the previous auto-reload behavior that caused unexpected gateway restarts.
9. Skills Vault Key Selector
On the Skills tab, skills that declare a primaryEnv get a vault key selector instead of a raw password input:
When unlinked:
SecretRef to skills.entries..apiKey in configWhen linked:
π KEY_NAME with an "Unlink" buttonInline key creation:
10. Skills Expanded by Default
All skill groups (workspace, built-in, managed) render expanded () for better discoverability. Previously workspace and built-in were collapsed by default.
11. Auth Profiles Display
Auth profile keys (from auth-profiles.json) that are stored in the vault are listed with their status. Backend RPCs support listing, error reset, and deletion.
Architecture
Security Model
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Browser β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Vault Tab β β
β β ββββββββββββββββββββββββββββββββββββββββββββ β β
β β β OpenAI: [β’β’β’β’β’β’β’β’β’β’] [Save] [β] π’VAULT β β β
β β β Anthropic: [ ] [Save] βͺNOT SETβ β β
β β β + Add Secret [KEY_NAME] [value] [Save] β β β
β β ββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β
β β Skills Tab β β
β β ββββββββββββββββββββββββββββββββββββββββββββ β β
β β β whisper-api: π OPENAI_API_KEY [Unlink] β β β
β β β sag: [Select vault key βΎ] β β β
β β ββββββββββββββββββββββββββββββββββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βΌ (direct RPC, not via agent) β
βββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββ
β
βββββββββΌββββββββ
β Gateway β
β secrets.write β
β skills.update β
ββββ¬ββββββββββ¬βββ
β β
ββββββββββΌβββ ββββΌβββββββββββββ
β secrets. β β openclaw.json β
β json β β (SecretRef β
β (0600) β β objects only) β
ββββββββββββββ ββββββββββββββββββ
Backend RPCs
| Method | Description |
|--------|-------------|
| secrets.status | Vault file status, key count, plaintext count |
| secrets.list | List secret IDs with masked values |
| secrets.write | Store key in vault + optionally update config with SecretRef. envEntry param (default true) controls whether an env block entry is created. Returns restartNeeded flag instead of auto-reloading. |
| secrets.delete | Remove from vault + config |
| secrets.migrate | Batch-migrate all plaintext keys to vault |
| secrets.authProfiles.list | List auth profile keys with vault status |
| secrets.authProfiles.resetErrors | Reset auth profile error state |
| secrets.authProfiles.delete | Delete an auth profile |
| skills.update | Updated with vaultKeyId param β writes a SecretRef to skills.entries. or unlinks (empty string) |
Skills-Status Integration
SkillStatusEntry includes a vaultKeyId field that reads the raw config JSON (not the runtime-resolved config where SecretRefs are replaced with resolved strings). This is done via extractVaultKeyIdFromConfig() which reads and caches openclaw.json directly, checking for SecretRef objects in skills.entries..
Restart Behavior
No auto-restart on vault save. Previously, secrets.write called reloadSecrets() which could trigger a gateway restart. Now:
envEntry: false) don't touch config β no restart neededrestartNeeded: true β UI shows a restart bannerwriteConfigFile() β triggers the config file watcher which causes a gateway restart (inherent to the config watcher system)OpenClaw Secrets System Integration
This skill uses OpenClaw's built-in Secrets System (src/secrets/):
{ source: "file", path: "~/.openclaw/secrets.json", mode: "json" }{ source: "file", provider: "default", id: "/" } prepareSecretsRuntimeSnapshot() resolves all refs at gateway startupThe secrets system also supports env and exec providers for advanced setups (e.g., environment variables, external vault commands). The file provider is the default for this UI.
Files Modified (Source Locations in OpenClaw Repo)
| File | Purpose |
|------|---------|
| src/gateway/server-methods/secrets.ts | Vault RPCs (status, list, write, delete, migrate, authProfiles) |
| src/gateway/server-methods/skills.ts | Skills update with vaultKeyId param |
| src/gateway/server-methods/plugins-ui.ts | Plugin view registration |
| src/gateway/protocol/schema/agents-models-skills.ts | vaultKeyId in SkillsUpdateParamsSchema |
| src/agents/skills-status.ts | vaultKeyId field on SkillStatusEntry, raw config reader |
| ui/src/ui/controllers/apikeys.ts | Vault-aware state, addVaultSecret, loadVaultOnlyKeys |
| ui/src/ui/controllers/skills.ts | VaultKeyEntry type, loadVaultKeys, linkSkillToVaultKey, addVaultKeyAndLink |
| ui/src/ui/views/apikeys.ts | Vault UI (banners, badges, migration, add form, vault-only keys, restart banner) |
| ui/src/ui/views/skills.ts | Vault key selector dropdown, inline creation, expanded groups |
| ui/src/ui/app.ts | State properties (vault, restart, skill key management) |
| ui/src/ui/app-render.ts | Prop wiring for vault and skills |
| ui/src/ui/app-settings.ts | Tab load triggers for vault keys |
| ui/src/ui/types.ts | vaultKeyId on SkillStatusEntry |
| ui/src/ui/navigation.ts | Vault tab (lock icon), removed 1password/discord standalone tabs |
Reference Files
apikeys-ui/
βββ SKILL.md # This file
βββ INSTALL_INSTRUCTIONS.md # Step-by-step installation (legacy)
βββ reference/
βββ apikeys-controller.ts # UI controller (vault tab)
βββ apikeys-views.ts # UI view (vault tab)
βββ secrets-rpc.ts # Backend vault RPCs
βββ skills-controller.ts # UI controller (skills vault integration)
βββ skills-views.ts # UI view (vault key selector)
βββ skills-status.ts # Backend skill status with vaultKeyId
βββ skills-rpc.ts # Backend skills update RPC
Key Design Decisions
1. No auto-restart on save β secrets.write no longer calls reloadSecrets(). A restart banner with "Restart Now" button lets the user decide when to restart.
2. Vault-only keys β Keys created with envEntry: false don't appear in config. A separate secrets.list call finds all vault entries and shows orphan keys in a dedicated section.
3. Raw config reading for vaultKeyId β The runtime resolves SecretRefs to strings, so loadConfig() returns resolved values. extractVaultKeyIdFromConfig() reads the raw JSON file directly (with mtime caching) to detect SecretRef objects.
4. Skills expanded by default β All groups render open for better UX. Collapsed-by-default hid skills that needed configuration.
5. Skills use vault references, not plaintext β Skills with primaryEnv get a vault key selector dropdown instead of a password input. Linking writes a SecretRef to skills.entries. in config.
6. Inline key creation from skills β "οΌ Add new vault keyβ¦" in the skills dropdown creates a vault entry and links it in one step, reducing friction.
Changelog
v3.0.0
primaryEnvenvEntry param on secrets.write β controls whether an env block entry is createdvaultKeyId param on skills.update β writes SecretRef or unlinks skill from vault keyv2.0.0
~/.openclaw/secrets.json (mode 0600) instead of plaintext configsecrets.status, secrets.list, secrets.write, secrets.delete, secrets.migratev1.1.0
v1.0.0
config.patch