May 18, 2026

The Platform API: build products on top of 1Claw

Register your app, create a bootstrap template, and scaffold HSM-backed secrets infrastructure for every new user in one API call. Your users own their secrets — you can’t peek at them.

You're building an AI product and your users need wallets, signing keys, or API credentials that only they control. You could spend months wiring up HSMs, envelope encryption, key rotation, MPC custody, and audit logging — or you could call one API and get all of it. Starting today, the Platform API lets you scaffold production-grade secrets infrastructure for every new user in a single bootstrap call.

Why build on it

If you're building an AI product that touches credentials, private keys, or third-party API secrets on behalf of users, you have two options: build your own secrets infrastructure (HSM integration, envelope encryption, key rotation, audit logging, policy engine, MPC custody) — or call one endpoint and get all of it.

Here's what you skip building:

HSM-backed encryption — Google Cloud KMS with hardware security modules. Per-secret envelope encryption with automatic key rotation.
Multi-chain signing — Ethereum, Bitcoin, Solana, XRP, Cardano, Tron. Private keys generated and stored in HSMs. Your agents sign without ever seeing raw keys.
Policy engine — path-based access control with glob matching, IP conditions, time windows, and expiry. Agents only touch what humans explicitly allow.
Shroud LLM proxy — TEE-backed inspection that redacts secrets from LLM traffic, blocks prompt injection, and enforces per-agent content policies. Your users' data never leaks through the model.
Audit trail with hash chain — tamper-evident logs of every access, every signing operation, every policy change. Ready for SOC 2 and compliance reviews.
MPC custody — Shamir or XOR-split key shares across multiple HSM providers so no single party (not you, not us) can reconstruct a key alone.

That's months of engineering. With the Platform API, you get it in an afternoon. Define a template, call bootstrap, redirect your user to the claim URL. Done.

And because everything is platform_locked, you get a genuine custody guarantee you can show investors and users: “we literally cannot read your secrets.” That's a trust moat most products can't claim.

Who this is for

If any of these sound like you, the Platform API is your shortcut:

Hosted AI agent platforms — give each user their own wallet and signing keys without building custody from scratch.
Developer tools — your users store API keys for services your tool integrates with. You need them at runtime but should never persist them.
Wallets-as-a-service — non-custodial by default, with HSM + MPC + TEE signing under the hood.
Orchestration frameworks — your agents call third-party APIs. Embed 1Claw so credentials never touch your servers or context windows.

How it works

The flow connects three parties: you (the operator), 1Claw (secrets infrastructure), and your end-user (the secret owner).

Register your app — get a plt_ API key. This is your operator credential.
Create a bootstrap template — a declarative JSON spec defining what infrastructure each user gets: vault name, agent(s) with config, policies, and optionally multi-chain signing keys.
Provision a user — call POST /v1/platform/users/upsert with their email or an OIDC token from your IdP.
Bootstrap — one call creates their vault, agent, policies, and signing keys. You get back a claim_url to redirect them to.
User claims — they visit the URL, get their agent API key, and have full custody of their secrets.

Template spec example

Here's a real template that provisions a vault, an intents-enabled agent with Ethereum and Solana signing keys, Shroud LLM protection, and a read/write policy:

{
  "vault": {
    "name": "user-vault",
    "description": "Auto-provisioned vault"
  },
  "agents": [{
    "name": "primary",
    "intents": { "enabled": true },
    "shroud_enabled": true,
    "shroud_config": {
      "pii_policy": "redact",
      "enable_secret_redaction": true
    },
    "signing_keys": [
      { "chain": "ethereum" },
      { "chain": "solana" }
    ]
  }],
  "policies": [{
    "principal_ref": "agents.primary",
    "vault_ref": "vault",
    "paths": ["api-keys/*", "keys/*"],
    "permissions": ["read", "write"]
  }]
}

The principal_ref uses dot notation to reference agents defined in the same template — agents.primary resolves to the agent named “primary” at bootstrap time. Signing keys are provisioned per-chain and stored in the org's HSM-backed agent-keys vault.

The custody guarantee

Every resource created through a template is marked platform_locked: true. This means:

Your plt_ key cannot read secrets in locked vaults.
Your plt_ key cannot mint agent JWTs for user agents.
With CMEK + MPC enabled, secrets are mathematically inaccessible to both you and us.

You manage the lifecycle (create, delete, list). Your users own the cryptographic boundary.

Billing models

Three options, configurable on your app:

platform_pays — you cover all usage. Good for SaaS where secrets infra is bundled into your pricing.
user_pays — end-users cover their own subscription. Good for marketplaces.
hybrid — you pay the base, users pay overages. Good for freemium.

Auth modes

How your users get into 1Claw depends on your product:

Silent — your backend provisions users without them ever seeing a 1Claw screen. Pass a signed JWT from your IdP and they're in.
User sign-in — users authenticate with 1Claw (Google, email/password, SSO) during the claim step.
Configurable — mix and match per-user at bootstrap time.

SDK quick start

import { createClient } from "@1claw/sdk";

const client = createClient({
  baseUrl: "https://api.1claw.xyz",
  apiKey: "plt_YOUR_KEY",
});

// Create a template
const template = await client.platform.createTemplate(appId, {
  name: "default",
  spec: { vault: { name: "main" }, agents: [{ name: "primary" }], policies: [] },
});

// Provision and bootstrap
const user = await client.platform.upsertUser({ email: "user@example.com" });
const result = await client.platform.bootstrapUser(user.data.connection_id, {
  template_id: template.data.id,
});

// Redirect user to claim their credentials
console.log(result.data.claim_url);

What's next

The Platform API requires a Pro plan or higher. We're building more on top of this foundation:

Delegated token exchange — let your backend agent act on behalf of users (with explicit user consent).
Webhook notifications — get notified when users claim resources or revoke access.
TEE-only signing enforcement — a per-agent flag to guarantee signing only happens inside Shroud's confidential enclave.

Read the full Platform API docs, or get started in the dashboard under Platform.

— Kevin Jones · More from the blog