WorkClaw/Documentation
Sign inGet started

How to Store Secrets in the Vault

Step-by-step guide to adding API keys, tokens, and other credentials to the WorkClaw Vault so your Claws can securely access external services.

How do I add a secret to the Vault?

Navigate to Settings > Vault and click Add Secret. You will be prompted for three fields:

  1. Name — A short, descriptive identifier like SLACK_BOT_TOKEN or OPENAI_API_KEY. Names must be unique within their scope and can only contain letters, numbers, underscores, and hyphens.
  2. Value — The secret itself. Paste the full API key, token, or password. This value is encrypted at rest and is not retrievable via the UI after saving — it can only be overwritten with a new value.
  3. Description (optional) — A note explaining what the secret is for, such as "Production Slack bot token for the #support channel."

Choose the scopeteam or private — and click Save.

How does a Claw use a vault secret?

Claws reference vault secrets by name. When a skill or connection needs authentication, it specifies which vault entry to use. The Claw retrieves the decrypted value at runtime, passes it to the external service, and discards it from memory immediately afterward. The secret value never appears in chat, logs, or conversation history.

Can I update an existing secret?

Yes. Go to Settings > Vault, find the entry, and click Edit. You cannot view the current value — you can only replace it. Enter the new value and save. The change takes effect immediately for all Claws that reference the entry.

Can I delete a secret?

Yes. Click the delete icon next to any entry and confirm. Deleting a secret that a skill or connection depends on will cause that integration to fail until a replacement is added. WorkClaw warns you if any active connections reference the secret you are about to delete.

What types of secrets can I store?

The Vault accepts any text value. Common examples include:

  • API keys for third-party services (e.g., OpenAI, Stripe, Twilio)
  • OAuth tokens for authenticated integrations
  • Database connection strings
  • Webhook signing secrets
  • SMTP credentials for custom email

Are there limits on how many secrets I can store?

There's no per-team cap on vault entries today — store what you need. Business contracts can negotiate dedicated quota controls if your security or compliance posture requires hard limits.

Related documentation