OneClickClawDocs
$

API Key Security

Last updated: March 2026

BYOK: Your keys, your server

OneClickClaw uses a Bring Your Own Key (BYOK) model. You provide your own API key from your AI provider (Anthropic, OpenAI, OpenRouter, Grok, or any of the 23 supported providers). That key lives exclusively on your dedicated server. We never see it, we never store it on our platform servers, and we never transmit it through our systems.

This means you maintain full ownership and control over your AI spending. Your key connects your server directly to your chosen AI provider. OneClickClaw's management layer orchestrates deployment and configuration, but your API key stays entirely within your VPS.

How BYOK Works

Your AI Provider

You create and manage your API key here (Anthropic, OpenAI, etc.)
Key entered during setup or updated in Agent Panel

Your Dedicated VPS (Denmark)

Key is encrypted with AES-256 and stored only here. The OpenClaw process decrypts it at runtime to call your AI provider directly.
OneClickClaw platform never touches the key

OneClickClaw Platform

Manages deployment, metrics, and configuration. Has zero access to your decrypted API key.

How your keys are encrypted

When you enter your API key during onboarding or update it later from the Agent Panel, the key is encrypted using AES-256 encryption before it touches the disk. The key is never stored in plaintext. The encryption happens directly on your dedicated VPS, and the decryption key is derived from a server-specific secret that is unique to your instance.

This architecture means that even if someone gained physical access to the server's storage, they would find only encrypted data. The decryption secret is held in memory by the running process and is never written to a file.

Who has access to your keys

Only the OpenClaw process running on your dedicated server decrypts and uses your API key. OneClickClaw staff cannot see your API key. Our management layer communicates with your server through a secure gateway connection, but it never reads or transmits your decrypted key. Even if someone gained access to our central database, they would not find your API key there because it is stored exclusively on your VPS.

Note

During provisioning and configuration changes, encrypted key data travels over TLS-secured connections. At no point is the raw key transmitted in plaintext over the network.

How to rotate your API key

Rotating your API key regularly is a security best practice. Follow these steps to rotate your key without any downtime:

1

Generate a new key in your provider's dashboard

Log in to your AI provider (e.g., console.anthropic.com, platform.openai.com) and generate a new API key. Keep the old key active for now.

2

Update the key in your Agent Panel

Open your OneClickClaw dashboard, go to Agent Panel > AI Provider, paste the new key, and click Save. Your agent starts using the new key immediately.

3

Verify your agent is responding

Send a test message through one of your connected channels to confirm the agent responds correctly with the new key.

4

Revoke the old key

Go back to your AI provider's dashboard and revoke (delete) the old key. This ensures the old key cannot be used even if it was exposed.

Tip

Rotate your API key at least every 90 days, or immediately if you suspect it may have been exposed.

What to do if a key is compromised

If you believe your API key has been leaked or used without authorization, your agent stops working with the compromised key as soon as you revoke it. Act immediately:

  • Revoke the key immediately in your AI provider's dashboard. This stops all usage of that key, including any unauthorized usage.
  • Generate a new key from the same provider dashboard.
  • Update your OneClickClaw agent with the new key from the Agent Panel > AI Provider section.
  • Review your provider's usage logs for any unexpected charges or activity during the exposure window.

Warning

Never share your API key publicly. If you suspect your key is compromised, rotate it immediately in both the provider's dashboard and your OneClickClaw Agent Panel.

Credential fingerprint detection

OneClickClaw includes a credential fingerprint feature that automatically detects if the same API key or OAuth credentials are used across multiple servers. If you (or someone else) enters the same key on a different OneClickClaw instance, the system shows a warning banner on your dashboard.

  • OAuth credential reuse (high severity): An amber warning banner appears if the same OAuth credentials are detected on another server. This could indicate unauthorized access.
  • API key reuse (low severity): A blue informational banner appears if the same API key is used on another server. This is less critical but worth reviewing to avoid unexpected billing.

Note

Credential fingerprinting helps you catch accidental key sharing across instances. If you intentionally use the same key on multiple servers, you can safely dismiss the warning.

Setting spending limits

Your API key connects directly to your AI provider's billing. To protect yourself from unexpected costs, set spending limits directly in your AI provider's account settings. Most providers offer monthly budget caps, per-request limits, or usage alerts.

Tip

Set spending limits on your AI provider account. This protects you from unexpected costs if your key is used by unauthorized parties.

For more details on how BYOK works, see BYOK Explained. To configure your AI provider, see Setting Up Your AI Provider.