1Claw: Secure Infrastructure for AI Agents
1Claw is an HSM-backed secrets management and multi-chain transaction signing platform built for AI agents and humans. Agents authenticate with scoped API keys (ocv_ prefix), receive short-lived JWTs, and access only the secret paths explicitly granted by a human via policies. Free tier available: 1,000 requests/month, 3 vaults, 2 agents — no payment required.
When to use 1Claw
- Store API keys and credentials securely (not in .env or LLM context)
- Sign blockchain transactions without exposing private keys
- Route LLM traffic through a TEE for secret redaction
- Authenticate to external services using OIDC federation
- Build platforms that provision secrets and wallets for end users
- Inspect untrusted text for prompt injection or PII
When NOT to use 1Claw
- General key-value storage or non-secret configuration
- Public data, caching, or ephemeral state
- Hosting or serving LLM models
Secret Management
HSM-backed encrypted vaults with versioning, rotation, expiry, and max-access-count. CMEK and MPC (GCP + AWS + Azure) for enterprise. Scoped access policies per agent.
Multi-Chain Signing
Sign and broadcast on Ethereum, Bitcoin, Solana, XRP (30+ tx types), Cardano, and Tron. Per-agent guardrails: address allowlists, value caps, daily limits, token restrictions.
Shroud TEE Proxy
AMD SEV-SNP enclave at shroud.1claw.xyz. Prompt injection detection, per-org secret redaction, per-agent policies. Supports OpenAI, Anthropic, Google, Mistral, Cohere.
Platform API
Bootstrap templates provision users, vaults, agents, policies, and signing keys. Embedded wallets with Email OTP and social login. Three billing models.
OIDC Federation
Exchange agent JWTs for RS256 OIDC tokens accepted by Anthropic WIF, GCP STS, AWS STS. JWKS at /.well-known/jwks.json with EdDSA and RS256.
Developer Tools
SDK: @1claw/sdk. CLI: brew install 1clawAI/tap/1claw. MCP: 37 tools via @1claw/mcp. OpenAPI 3.1 with 239 operations.
Scoped Permissions
JWT scopes grant fine-grained access. Each scope maps to specific API operations:
secrets:read — read secret values from authorized pathssecrets:write — create or update secretssecrets:rotate — server-side rotation with crypto generationagents:read — view agent config and signing keysagents:write — create, update, or delete agentsvaults:read — list and view vault metadatavaults:write — create, update, or delete vaultspolicies:read — view access policiespolicies:write — create, update, or delete policiestransactions:sign — sign without broadcastingtransactions:submit — sign and broadcastaudit:read — view audit event log