Secrets Management

How to safely store and manage API credentials in your hosted OpenClaw environment on Molten.Bot.

Secret storage is the foundation of safe agent automation. If an API key or token is exposed, an attacker can spend your money, read your data, or impersonate your systems. This guide shows a simple, repeatable way to store and use secrets safely.

Storage Rules (TL;DR)

Store all credentials in the Molten.Bot Secrets UI (not in code, prompts, or local files).
Never store secrets in git-tracked files, prompts, chat logs, or screenshots.
Reference secrets by name in code/config, never by raw value.
Rotate secrets on a schedule and immediately after any suspected exposure.

Where to Find Secrets in the UI

In the app, open the Secrets tab (key icon) from the top navigation.

Top navigation showing where to open the Secrets tab. — Open the key icon tab to access secrets management.

What Must Be Stored as a Secret

LLM provider keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, etc.)
Bot tokens and webhook signing secrets
Database passwords and private connection strings
Third-party integration credentials (GitHub, Stripe, Slack, etc.)

How Secrets Storage Works in Molten.Bot

Molten.Bot hosted environment

In Molten.Bot, add credentials from the Secrets page using Add Group and Add Secret. Save each value once, then reference only secret names in your agent configuration and tooling.

Under the hood, Molten.Bot stores credentials in a dedicated secure enclave for your environment and mounts them into runtime as environment variables, so secret values never need to be pasted into code or prompts.

Secrets Management page showing grouped secret names with values masked. — Store secrets in groups by purpose and keep values masked in the interface.

Standard Naming Convention

We recomend using uppercase snake case and include provider/purpose. Good names make automation easier and avoid confusion later.

OPENAI_API_KEY
GITHUB_TOKEN
STRIPE_WEBHOOK_SECRET
POSTGRES_PASSWORD