Section 4: API Keys and OAuth - Your Access Passes
Think of API keys as secure app passwords: they let OpenClaw talk to services like Anthropic or OpenRouter on your behalf. OAuth is the familiar "Sign in with Google" flow, where you approve access without copying a key.
Who Uses What
Here's how OpenClaw connects to common providers:
| Provider | Method |
|---|---|
| Anthropic (Claude) | API key |
| OpenAI | API key or OAuth |
| Google (Drive/Gmail) | OAuth |
| OpenRouter / Groq | API key |
| NVIDIA NIM | API key |
Where to Get Keys
Each provider has a dashboard (account settings for developers). Look
for tabs named API, Credentials, or
Developer Console. If you run
openclaw onboard, OpenClaw opens the right pages in your
browser so you can set things up quickly.
Where OpenClaw Keeps Them
OpenClaw stores credentials in
~/.openclaw/openclaw.json, under the env
section. It's a plain-text file, so treat it carefully. Don't
hand-edit it while OpenClaw is running; restart after changes
so they apply cleanly.
::: warning API keys are your billable identity. Treat them like credit-card numbers: never share them in chat, screenshots, or git commits. :::
Detecting & Fixing Expired Credentials
If OpenClaw suddenly loses access, start with:
🖥️ Type this in your terminal:
openclaw statusLook for errors such as 401 Unauthorized or
invalid_grant. These usually mean a key expired, was
revoked, or OAuth access was removed. Re-run onboarding to refresh
credentials:
🖥️ Type this in your terminal:
openclaw onboardIf you need details, inspect recent gateway logs:
🖥️ Type this in your terminal:
openclaw logs --limit 50Credential Reset Mini-Playbook
- Re-run onboarding:
openclaw onboard - Check status:
openclaw status - Inspect logs:
openclaw logs --limit 50 - Restart gateway:
openclaw gateway restart