Back to Blog
security api-keys best-practices

OpenClaw Security Guide: Don't Expose Your API Keys

SetupMyClaw Team
January 5, 2026
4 min read

Let’s talk about something serious: security.

We’ve seen hundreds of OpenClaw dashboards exposed to the public internet. API keys visible to anyone who stumbles upon them. This isn’t hypothetical - it’s happening right now.

Don’t be one of those people.

The Stakes

When your OpenClaw setup is compromised, attackers can:

  1. Drain your API credits - Running up thousands in charges
  2. Access your connected accounts - Telegram, Discord, email
  3. Read your conversations - Including sensitive information
  4. Execute commands - On your computer or server

This isn’t fear-mongering. We’ve helped users recover from all of these scenarios.

Rule #1: Never Expose Your Dashboard Publicly

If you’re running OpenClaw’s web interface, it should never be accessible from the public internet without authentication.

Wrong

# DON'T DO THIS
openclaw gateway run --bind 0.0.0.0 --port 8080

This makes your dashboard accessible to anyone who knows your IP address.

# Local only
openclaw gateway run --bind 127.0.0.1 --port 8080

# Or with authentication
openclaw gateway run --bind 0.0.0.0 --port 8080 --auth required

Using a Reverse Proxy

If you need remote access, use a reverse proxy with authentication:

server {
    listen 443 ssl;
    server_name openclaw.yourdomain.com;

    auth_basic "OpenClaw";
    auth_basic_user_file /etc/nginx/.htpasswd;

    location / {
        proxy_pass http://127.0.0.1:8080;
    }
}

Rule #2: Secure Your API Keys

Your API keys are stored in ~/.openclaw/credentials/. Protect this directory:

# Check permissions
ls -la ~/.openclaw/

# Fix if needed (Mac/Linux)
chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/credentials/*

Environment Variables

Never put API keys in:

  • Public repositories
  • Unencrypted notes
  • Shared documents
  • Screenshots

If you’ve accidentally exposed a key, rotate it immediately in the provider’s dashboard.

Rule #3: Limit Permissions

OpenClaw can do a lot. Maybe too much for your comfort. Review and restrict:

# See current permissions
openclaw permissions list

# Disable file system access
openclaw permissions set filesystem read-only

# Disable command execution
openclaw permissions set commands disabled

The Principle of Least Privilege

Only grant the permissions OpenClaw actually needs. If you’re just using it for chat, it doesn’t need to:

  • Execute shell commands
  • Access your entire file system
  • Control your browser

Rule #4: Use Separate API Keys

Don’t use your main API key for OpenClaw. Create a dedicated key with:

  • Usage limits - Cap spending
  • Restricted permissions - If the provider supports it
  • Clear labeling - So you know what it’s for

This way, if the key is compromised, the blast radius is limited.

Rule #5: Monitor for Anomalies

Set up alerts for unusual activity:

Anthropic Console

  • Set up usage alerts
  • Review logs weekly

OpenAI Dashboard

  • Enable usage notifications
  • Set hard spending limits

OpenClaw Built-in

# Enable activity logging
openclaw config set logging.level info
openclaw config set logging.path ~/.openclaw/logs/

# Set cost alerts
openclaw config set budget.alert-threshold 5

Rule #6: Keep It Updated

Security patches are released regularly:

# Check for updates
openclaw --version
npm view openclaw version

# Update
npm update -g openclaw

Red Flags to Watch For

  • Unexpected API charges
  • Messages you didn’t send
  • Unfamiliar connected channels
  • High CPU usage when idle

If you notice any of these, assume compromise and:

  1. Stop OpenClaw immediately
  2. Rotate all API keys
  3. Review connected accounts
  4. Check system logs

Security Checklist

Before going live, verify:

  • Dashboard not publicly accessible
  • API keys have spending limits
  • Credentials directory has proper permissions
  • Unnecessary permissions disabled
  • Activity logging enabled
  • Running latest version
  • Backup of configuration

We Take Security Seriously

When we do setup sessions, security is our top priority. We:

  1. Configure proper access controls
  2. Set up spending limits
  3. Enable logging and alerts
  4. Review permissions
  5. Test for common vulnerabilities

Don’t leave your setup exposed. Book a session and we’ll make sure it’s locked down from day one.

Security best practices as of January 2026. Stay updated with the official OpenClaw documentation.

Need Help Setting Up OpenClaw?

Skip the guides and get expert help. We'll set everything up for you in a 60-minute Zoom call.

Book a Setup Session - From $49
All Articles