I Built A LangChain Agent That Never Sees My API Keys

I built a LangGraph react agent that pulls both keys from a 1Claw vault at runtime. The OpenWeatherMap key, the OpenAI key, neither one sits in .env. Neither enters the prompt. Neither enters agent memory or logs.

The repo is here.

How it works

Fundamentally, 1Claw is middleware that protects LLMs from reading your sensitive data such as .env secrets or other sensitive information.

When you run this demo, the agent gets a question like "What's the weather in Tokyo?" and calls a get_weather tool. Inside that tool — before the network call goes out — the OpenWeatherMap key is fetched from the vault, used to hit api.openweathermap.org, and discarded. The agent receives weather text back: "Tokyo is currently 69°F with clear skies and 75% humidity." The key never enters LangChain's message history, the agent's scratchpad, or the LLM's context.

The LLM call itself routes through Shroud, 1Claw's proxy. Shroud's headers carry the provider key — also fetched from the vault when the chat model is built — so it never lands in .env either. Twenty layers of protection sit between your prompt and the model.

What I want to call out is what 1Claw isn't doing here. It's not LangChain, it's not LangGraph, it's not OpenWeatherMap. It's a vault and a proxy that sit beside whatever you're already using. The same pattern works for Stripe, GitHub, Anthropic, Google, or anything else your agent has to authenticate against. Shroud is BYOK if you already pay OpenAI, or 1Claw can handle billing directly if you'd rather have one vendor relationship instead of two. Either way, prompts get inspected for leaks and injection attempts on the way out. There's no path through the agent for a credential to escape, because the LLM's environment doesn't contain one.

Try it

Step 1

Clone the repo, install deps. Python 3.10+, venv.

git clone https://github.com/1clawAI/1claw-langchain-demo
cd 1claw-langchain-demo
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

You'll need a 1Claw human key (1ck_...) for setup — it never gets written to disk. Grab a free OpenWeatherMap key (no credit card required).

Step 2

Run the bootstrap script. It prompts for keys, masked.

python bootstrap.py

A vault gets created, your provider key and OpenWeatherMap key land in it, an agent gets minted with a read-only policy on the vault, and .env ends up with four variables: ONECLAW_AGENT_ID, ONECLAW_AGENT_API_KEY, ONECLAW_VAULT_ID, SHROUD_PROVIDER. No third-party keys.

Step 3

Run it.

python src/main.py "Tokyo,JP"

You'll see something like:

=== 1Claw + LangChain: Secure Weather Demo ===

City:     Tokyo,JP
Provider: anthropic (via Shroud)
Vault:    19edef9e...

--- Result ---
Tokyo is currently 69°F with clear skies and 75% humidity.

A LangGraph agent producing a real LLM response from real weather data, with neither key in its context.

Switch providers by editing one line in .env: SHROUD_PROVIDER=openai, anthropic, or google. No code change.

Agentic Security Today

The weather lookup isn't the point. I could've used requests and a hardcoded key.

What's interesting is the security middleware provided by 1Claw. The agent doesn't have the OpenWeatherMap key. It has a credential that lets it ask a vault for the OpenWeatherMap key, scoped by a policy, gated by a network call. The LLM has neither key. If a prompt injection lands tomorrow, there's nothing in scope to leak. If logs get scraped, nothing in them. If the bill spikes, you revoke the agent. If you swap OpenAI for Anthropic for Gemini, you swap the vault entry, not your code.

1Claw stays out of the way of every choice that could lock you in. It just refuses to let your tools see secrets they don't need.