Your API Keys, Encrypted and Protected
Your Anthropic or OpenAI API key is sensitive. RunTheAgent encrypts it at rest and ensures it is only ever used by your isolated OpenClaw instance on secure managed infrastructure.
Why API Key Security Matters
Your API key is essentially a credit card for AI services. Anyone with access to your key can make API calls on your account, potentially running up significant charges. Compromised API keys are one of the most common security incidents in the AI space.
RunTheAgent takes API key security seriously. Whether you know the project as OpenClaw, MoltBot, or ClawdBot (its earlier names), your key is encrypted at rest using industry-standard encryption. It is never stored in plain text, never logged, never shared with other users, and only decrypted when your specific instance needs to make an API call to your chosen provider.
This approach means that even in the unlikely event of a data breach, your API keys remain protected by encryption rather than being immediately usable.
Security Measures in Place
Encryption at Rest
Your API key is encrypted before it is stored. It is never written to disk or database in plain text. Standard encryption algorithms protect your credentials from unauthorized access.
Instance Isolation
Your API key is only accessible to your specific instance. No other user's instance, no shared process, and no administrative tool can access your decrypted key.
No Plain-Text Logging
API keys are never included in log files, error reports, or monitoring data. Even internal system logs mask or exclude credential information.
You Control the Key
You can rotate, revoke, or change your API key at any time through your dashboard. If you suspect compromise, change the key instantly. You can also revoke the key directly with your AI provider.
Best Practices for API Key Management
Protecting your credentials is a shared responsibility
Use Dedicated API Keys
Create a separate API key specifically for your RunTheAgent instance. Do not reuse keys across multiple services. If one service is compromised, your other services remain unaffected.
Set Usage Limits
Both Anthropic and OpenAI allow you to set spending limits on your API keys. Configure a monthly limit that matches your expected usage. This prevents runaway costs even if a key is somehow compromised.
Monitor Your Usage
Check your API provider's dashboard periodically to verify usage patterns match your expectations. Unexpected spikes could indicate unauthorized access.
Rotate Keys Periodically
As a security best practice, generate a new API key every few months and update it in your RunTheAgent dashboard. Revoke the old key after confirming the new one works.
Security by the Numbers
What Happens If Your API Key Is Compromised Elsewhere
API key breaches most commonly happen outside of the platforms that use them. Keys get committed to public GitHub repositories, shared in unencrypted emails, stored in plain-text notes, or exposed through compromised development environments.
RunTheAgent protects your key within the platform, but you should also protect it everywhere else. Never share your API key in chat messages, emails, or documents. Do not commit it to version control. If you use the same key across multiple services, a breach in any one of them compromises all of them.
The best practice: create a dedicated API key specifically for your OpenClaw instance. Set a spending limit on it through your Anthropic or OpenAI dashboard. This way, even in the worst case, the blast radius is contained to a single key with a capped spending limit.
Security Scenarios and How OpenClaw Handles Them
You Suspect Key Compromise
Immediately rotate your API key with your model provider (Anthropic or OpenAI), then update the new key in your RunTheAgent dashboard. The old key is invalidated instantly. Your instance starts using the new key with zero downtime. Total recovery time: under 5 minutes.
You Want to Audit Key Usage
Check your API provider's usage dashboard to see all requests made with your key. Compare the usage patterns with your OpenClaw activity logs. Any discrepancy would indicate unauthorized use. Both Anthropic and OpenAI provide detailed usage logs broken down by date and model.
Frequently Asked Questions
Related Pages
Ready to get started?
Deploy your own OpenClaw instance in under 60 seconds. No VPS, no Docker, no SSH. Just your personal AI assistant, ready to work.
Starting at $24.50/mo. Everything included. 3-day money-back guarantee.
