openclaw/docs/cli/secrets.md

---
summary: "CLI reference for `openclaw secrets` (reload, audit, configure, apply)"
read_when:
  - Re-resolving secret refs at runtime
  - Auditing plaintext residues and unresolved refs
  - Configuring SecretRefs and applying one-way scrub changes
title: "secrets"
---

# `openclaw secrets`

Secrets runtime controls.

Related:

- Secrets guide: [Secrets Management](/gateway/secrets)
- Security guide: [Security](/gateway/security)

## Reload runtime snapshot

Re-resolve secret refs and atomically swap runtime snapshot.

```bash
openclaw secrets reload
openclaw secrets reload --json
```

Notes:

- Uses gateway RPC method `secrets.reload`.
- If resolution fails, gateway keeps last-known-good snapshot.
- JSON response includes `warningCount`.

## Audit

Scan OpenClaw state for:

- plaintext secret storage
- unresolved refs
- precedence drift (`auth-profiles` shadowing config refs)
- legacy residues (`auth.json`, OAuth out-of-scope notes)

```bash
openclaw secrets audit
openclaw secrets audit --check
openclaw secrets audit --json
```

Exit behavior:

- `--check` exits non-zero on findings.
- unresolved refs exit with a higher-priority non-zero code.

## Configure (interactive helper)

Build provider + SecretRef changes interactively, run preflight, and optionally apply:

```bash
openclaw secrets configure
openclaw secrets configure --plan-out /tmp/openclaw-secrets-plan.json
openclaw secrets configure --apply --yes
openclaw secrets configure --providers-only
openclaw secrets configure --skip-provider-setup
openclaw secrets configure --json
```

Flow:

- Provider setup first (`add/edit/remove` for `secrets.providers` aliases).
- Credential mapping second (select fields and assign `{source, provider, id}` refs).
- Preflight and optional apply last.

Flags:

- `--providers-only`: configure `secrets.providers` only, skip credential mapping.
- `--skip-provider-setup`: skip provider setup and map credentials to existing providers.

Notes:

- `configure` targets secret-bearing fields in `openclaw.json`.
- Include all secret-bearing fields you intend to migrate (for example both `models.providers.*.apiKey` and `skills.entries.*.apiKey`) so audit can reach a clean state.
- It performs preflight resolution before apply.
- Apply path is one-way for migrated plaintext values.

Exec provider safety note:

- Homebrew installs often expose symlinked binaries under `/opt/homebrew/bin/*`.
- Set `allowSymlinkCommand: true` only when needed for trusted package-manager paths, and pair it with `trustedDirs` (for example `["/opt/homebrew"]`).

## Apply a saved plan

Apply or preflight a plan generated previously:

```bash
openclaw secrets apply --from /tmp/openclaw-secrets-plan.json
openclaw secrets apply --from /tmp/openclaw-secrets-plan.json --dry-run
openclaw secrets apply --from /tmp/openclaw-secrets-plan.json --json
```

Plan contract details (allowed target paths, validation rules, and failure semantics):

- [Secrets Apply Plan Contract](/gateway/secrets-plan-contract)

## Why no rollback backups

`secrets apply` intentionally does not write rollback backups containing old plaintext values.

Safety comes from strict preflight + atomic-ish apply with best-effort in-memory restore on failure.

## Example

```bash
# Audit first, then configure, then confirm clean:
openclaw secrets audit --check
openclaw secrets configure
openclaw secrets audit --check
```

If `audit --check` still reports plaintext findings after a partial migration, verify you also migrated skill keys (`skills.entries.*.apiKey`) and any other reported target paths.
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00			`---`
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			summary: "CLI reference for `openclaw secrets` (reload, audit, configure, apply)"
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00			`read_when:`
			`- Re-resolving secret refs at runtime`
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`- Auditing plaintext residues and unresolved refs`
			`- Configuring SecretRefs and applying one-way scrub changes`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00			`title: "secrets"`
			`---`

			# `openclaw secrets`

			`Secrets runtime controls.`

			`Related:`

			`- Secrets guide: [Secrets Management](/gateway/secrets)`
			`- Security guide: [Security](/gateway/security)`

			`## Reload runtime snapshot`

			`Re-resolve secret refs and atomically swap runtime snapshot.`

			```bash
			`openclaw secrets reload`
			`openclaw secrets reload --json`
			```

			`Notes:`

			- Uses gateway RPC method `secrets.reload`.
			`- If resolution fails, gateway keeps last-known-good snapshot.`
			- JSON response includes `warningCount`.

feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`## Audit`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`Scan OpenClaw state for:`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`- plaintext secret storage`
			`- unresolved refs`
			- precedence drift (`auth-profiles` shadowing config refs)
			- legacy residues (`auth.json`, OAuth out-of-scope notes)
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00
			```bash
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`openclaw secrets audit`
			`openclaw secrets audit --check`
			`openclaw secrets audit --json`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00			```

feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`Exit behavior:`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			- `--check` exits non-zero on findings.
			`- unresolved refs exit with a higher-priority non-zero code.`
feat(secrets): finalize external secrets runtime and migration hardening 2026-02-24 19:34:29 -06:00
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`## Configure (interactive helper)`
feat(secrets): finalize external secrets runtime and migration hardening 2026-02-24 19:34:29 -06:00
feat(secrets): finalize mode rename and validated exec docs 2026-02-25 23:17:31 -06:00			`Build provider + SecretRef changes interactively, run preflight, and optionally apply:`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00
			```bash
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`openclaw secrets configure`
			`openclaw secrets configure --plan-out /tmp/openclaw-secrets-plan.json`
			`openclaw secrets configure --apply --yes`
feat(secrets): finalize mode rename and validated exec docs 2026-02-25 23:17:31 -06:00			`openclaw secrets configure --providers-only`
			`openclaw secrets configure --skip-provider-setup`
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`openclaw secrets configure --json`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00			```

feat(secrets): finalize mode rename and validated exec docs 2026-02-25 23:17:31 -06:00			`Flow:`

			- Provider setup first (`add/edit/remove` for `secrets.providers` aliases).
			- Credential mapping second (select fields and assign `{source, provider, id}` refs).
			`- Preflight and optional apply last.`

			`Flags:`

			- `--providers-only`: configure `secrets.providers` only, skip credential mapping.
			- `--skip-provider-setup`: skip provider setup and map credentials to existing providers.

feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`Notes:`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			- `configure` targets secret-bearing fields in `openclaw.json`.
docs(secrets): clarify partial migration guidance 2026-02-26 00:54:14 -06:00			- Include all secret-bearing fields you intend to migrate (for example both `models.providers..apiKey` and `skills.entries..apiKey`) so audit can reach a clean state.
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`- It performs preflight resolution before apply.`
			`- Apply path is one-way for migrated plaintext values.`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00
docs(secrets): clarify partial migration guidance 2026-02-26 00:54:14 -06:00			`Exec provider safety note:`

			- Homebrew installs often expose symlinked binaries under `/opt/homebrew/bin/*`.
			- Set `allowSymlinkCommand: true` only when needed for trusted package-manager paths, and pair it with `trustedDirs` (for example `["/opt/homebrew"]`).

feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`## Apply a saved plan`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`Apply or preflight a plan generated previously:`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00
			```bash
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`openclaw secrets apply --from /tmp/openclaw-secrets-plan.json`
			`openclaw secrets apply --from /tmp/openclaw-secrets-plan.json --dry-run`
			`openclaw secrets apply --from /tmp/openclaw-secrets-plan.json --json`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00			```

docs(secrets): add dedicated apply plan contract page 2026-02-26 14:32:04 +01:00			`Plan contract details (allowed target paths, validation rules, and failure semantics):`

			`- [Secrets Apply Plan Contract](/gateway/secrets-plan-contract)`

feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`## Why no rollback backups`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`secrets apply` intentionally does not write rollback backups containing old plaintext values.

			`Safety comes from strict preflight + atomic-ish apply with best-effort in-memory restore on failure.`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`## Example`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00
			```bash
feat(secrets): replace migrate flow with audit/configure/apply 2026-02-25 20:29:39 -06:00			`# Audit first, then configure, then confirm clean:`
			`openclaw secrets audit --check`
			`openclaw secrets configure`
			`openclaw secrets audit --check`
Docs: add secrets and CLI secrets reference pages 2026-02-24 16:26:59 -06:00			```
docs(secrets): clarify partial migration guidance 2026-02-26 00:54:14 -06:00
			If `audit --check` still reports plaintext findings after a partial migration, verify you also migrated skill keys (`skills.entries.*.apiKey`) and any other reported target paths.