ipeaky — Secure API Key Management

Keys are stored directly in OpenClaw's native config (openclaw.json) via gateway config.patch.
This means every skill that declares primaryEnv automatically picks up the key — zero manual wiring.

Key Map — Service to Config Path

Service	Config Path	primaryEnv
OpenAI	INLINECODE3	OPENAIAPIKEY
ElevenLabs

skills.entries.sag.apiKey | ELEVENLABSAPIKEY | | Brave Search | tools.web.search.apiKey | BRAVEAPIKEY | | Gemini | skills.entries.nano-banana-pro.apiKey | GEMINIAPIKEY | | Google Places | skills.entries.goplaces.apiKey | GOOGLEPLACESAPI_KEY | | Notion | skills.entries.notion.apiKey | NOTIONAPIKEY | | ElevenLabs Talk | talk.apiKey | (direct) | | Custom skill | skills.entries.<skill-name>.apiKey | (per skill) | | Custom env | skills.entries.<skill-name>.env.<VAR_NAME> | (arbitrary) |

Important: Some keys serve multiple skills. OpenAI key is used by openai-whisper-api,
openai-image-gen, etc. ElevenLabs key is used by sag and talk. When storing, set ALL
relevant config paths for that key.

Storing Keys (v4 — Single Paste, Zero Exposure) ⭐ PREFERRED

One popup. Paste everything. Regex parses. One save. One restart. Keys never touch chat or network.

CODEBLOCK0

Examples:

CODEBLOCK1

The script:

1. 1. Shows ONE macOS popup — user pastes all keys in any format
2. Local Python regex parses key-value pairs (no AI, no network)
3. Confirmation popup: "Found 3 keys: X, Y, Z — Store all?"
4. ONE openclaw config set batch → ONE gateway restart
5. Keys never appear in chat, logs, or shell history

Supported input formats:

• - key_name: value or INLINECODE18
• INLINECODE19
• Bare tokens on separate lines (auto-labeled in order)
• Mixed formats in one paste

---

Storing a Key (v3 — Zero Exposure)

Use the v3 script. The agent NEVER sees the key. The script handles popup + storage directly.

CODEBLOCK2

Examples:

CODEBLOCK3

The script:

1. 1. Shows macOS popup (hidden input)
2. Calls openclaw config set for each path
3. Restarts gateway
4. Returns ONLY "OK" or "ERROR" — key never appears in agent output or chat history

Legacy Method (v2 — agent sees key, NOT recommended)

Step 1: Launch the secure input popup. On macOS:
CODEBLOCK4

Step 2: Once you have the key value (from stdout of the script), store it via gateway config.patch.

Example for OpenAI:
CODEBLOCK5

Example for ElevenLabs:
CODEBLOCK6

Example for Brave Search:
CODEBLOCK7

Critical rules:

• - NEVER echo, print, or include any key value in chat messages or tool call arguments
• NEVER include key values in the reason field of config.patch
• If a user pastes a key directly in chat, store it immediately and tell them to delete the message
• The secureinputmac.sh script outputs the key to stdout — capture it in a variable, use it in config.patch, never log it

Listing Keys

Read from the live config using gateway config.get. Show masked values only (first 4 chars + ).
Parse the config JSON and find all apiKey fields, display their config path and masked value.

Testing a Key

Test endpoints:

• - OpenAI: INLINECODE24
• ElevenLabs: INLINECODE25
• Anthropic: INLINECODE26
• Brave Search: INLINECODE27

Source the key from the config (via gateway config.get), test it, report result. Never show the key.

Deleting a Key

Use gateway config.patch to set the key value to an empty string or remove the entry.

💎 Paid Tier (Coming Soon)

ipeaky core is free forever. A paid tier is in development with premium features:

• - Team key sharing — Role-based access across team members
• Key rotation reminders — Automated expiry alerts
• Usage analytics — Track key usage across skills
• Breach monitoring — Leak database notifications
• Cross-platform — Linux & Windows secure input
• Backup & sync — Encrypted cloud backup

See paid_tier/README-paid.md for details. Billing is powered by Stripe.

CODEBLOCK8

Security Guarantees

• - Keys go: secure popup → stdout pipe → config.patch → openclaw.json (never chat)
• Keys are automatically available to all skills via OpenClaw's native env injection
• No separate credential files to manage
• No manual source commands needed
• config.patch triggers a gateway reload so keys take effect immediately