Your AI agent's API keys are sitting in plain sight. Here's how to fix that.
A walkthrough for deploying the 1Claw template on Pinata's OpenClaw platform — secure your agent credentials in an HSM vault in about ten minutes.
If you've been building AI agents for any length of time, you've probably done this at least once: pasted an API key directly into a prompt, a config file, or an environment variable you swore you'd clean up later. We all have. The problem is that those keys don't stay contained. They end up in chat history, logs, debug traces, and sometimes in places you'd really rather they didn't.
That's the problem 1Claw was built to solve. And now, with a ready-to-deploy template on Pinata's OpenClaw platform, getting started takes maybe ten minutes.
Why agent security is worth caring about right now
Agents are getting more capable fast. They're making API calls, managing files, triggering transactions. The more they can do, the more damage a leaked credential can cause. And the way most people currently handle credentials in agentic workflows is… not great.
The typical approach is something like: put the key in a .env file, hope it doesn't end up in a repo, and move on. But the moment your agent starts talking to an LLM, that key can surface in the context window. From there it can end up in the provider's logs, in your own debugging output, anywhere.
Instead of storing secrets in environment variables or passing them through prompts, 1Claw keeps them in an HSM-backed vault. Your agent fetches credentials at runtime through short-lived tokens. The key is used and discarded. It never appears in context, never shows up in logs, never sits exposed in memory.
On top of the vault, 1Claw ships a feature called Shroud, which sits between your agent and whatever LLM provider you're using. It inspects every request in real time, redacting secrets and PII before they reach the model, and catching prompt injection attempts before they cause problems. It also includes an Intents API for on-chain transaction signing, where private keys stay in the HSM and the agent simply submits what it wants to do.
Taken together, it's the kind of infrastructure that used to require a serious engineering investment to build yourself. Now you can just use it.
Getting started on OpenClaw in a few steps
Pinata's OpenClaw platform is designed specifically for deploying AI agents, and they've got a marketplace where teams publish ready-made templates. The 1Claw template is there and ready to go.
Step 1 — Grab the template from the marketplace
Head to the 1Claw template on the OpenClaw Marketplace and click to deploy. No cloning repos, no manual setup.
Step 2 — Connect your 1Claw vault
If you don't have a 1Claw account yet, sign up at 1claw.xyz. The free tier gives you 1,000 API requests per month with no credit card required. Create a vault, add your secrets, and grab your agent API key.
Step 3 — Configure and deploy
Paste your vault ID and agent credentials into the OpenClaw template config. The template handles the authentication flow — your agent will fetch secrets at runtime, and none of them will touch your context window.
Step 4 — Watch the video workshop
The full walkthrough below covers the whole process end to end. Worth watching even if you're comfortable with both platforms.
Watch the workshop
The team put together a full video walkthrough of deploying the template. It covers everything from setting up your vault to seeing the agent running in production.
OpenClaw x 1Claw — Full Video Workshop. Step-by-step deployment walkthrough. Covers vault setup, agent config, and going live on the OpenClaw platform.
A few things worth knowing
1Claw works natively with Claude, Cursor, and GPT through its MCP server, which means you can also manage vault secrets directly from your IDE or chat interface if that fits your workflow. There's a CLI too, for teams that prefer scripting everything.
If you're building something on-chain, the Intents API is worth looking at separately. It handles transaction signing without ever exposing private keys to your agent, with per-agent guardrails like value caps and chain restrictions baked in.
Pricing is straightforward. The free tier covers a lot of experimentation. When you're ready to scale, paid plans start at $29/month, and there's also a pay-per-use option settled in USDC on Base if subscriptions aren't your thing.
Worth taking seriously
Most agent security problems aren't dramatic. Nobody hacks you in a movie-style breach. Keys just end up where they shouldn't over time, and you find out after something's already gone wrong. Setting this up now, before your agents are doing anything high-stakes, is about as low-effort as security work gets. The template does most of the work. The rest is just configuration.
If you've been putting off thinking about credential management in your agent stack, this is a good reason to stop putting it off.