OC-201c · Module 1

Environment & Secrets Management

3 min read

Your OpenClaw instance holds the keys to your digital life. API keys for email, calendar, social media, AI models, CRM, task management. Database credentials. OAuth tokens. Every one of these is a secret that, if leaked, gives someone else access to your accounts. Environment management is the practice of keeping these secrets out of your code, out of your version control, and out of your logs.

The architecture is straightforward. Secrets live in a .env file on the machine. The .env file is in .gitignore so it never reaches GitHub. The code reads secrets from process.env, never from hard-coded values. When you add a new API integration, you add the key to .env and reference it via process.env.NEW_API_KEY. When you move to a new machine, you copy the .env file separately from the code. The code is public-safe. The secrets are machine-local.

Do This

  • Store all secrets in .env files excluded from version control
  • Reference secrets via process.env — never hard-code them
  • Document every required environment variable in a .env.example file with placeholder values
  • Rotate API keys periodically and after any potential exposure

Avoid This

  • Hard-code API keys in source files — a single git push leaks everything
  • Store secrets in config.json files that might get committed accidentally
  • Share .env files over Slack, email, or any unencrypted channel
  • Use the same API key for development and production environments