The problem we solve
AI agents need secrets to do useful work — but pasting keys into chat or stuffing them in env vars is broken. Here's why we built 1Claw.
AI agents need API keys, database credentials, and tokens to do useful work. The way most teams give agents access to secrets today is broken — and the fix is to stop giving agents secrets at all.
The problem: secrets end up everywhere
When you paste a Stripe key into Claude, Cursor, or GPT so it can call the Stripe API, that key is no longer "yours" in any meaningful sense. It lands in the context window, in chat logs, and often in the model's memory. You can't un-paste it. If the conversation is logged for training or debugging, the secret is there. If the agent is compromised or hallucinates and echoes it back, the secret is exposed.
The same is true when you put secrets in environment variables for an agent or a CI job: they sit in config files, deployment history, and process listings. Rotating the key doesn't help if the old one is still in a log somewhere.
Agents need access, not copies
What agents actually need is permission to use a secret at the moment they need it — not a copy of the secret to hold onto. That's the same principle behind OAuth and short-lived tokens for humans: you authorize an action without handing over your password.
For AI agents, that means:
- Secrets stay in a vault — encrypted with keys that never leave an HSM or trusted enclave.
- Agents get scoped access — you grant "read api-keys/stripe" to a specific agent, with optional conditions (IP, time window) and an expiry.
- Fetch at runtime — the agent calls the vault when it needs the secret, uses it, and never stores it in context or memory.
- Audit and revoke — every access is logged; you can revoke a policy or rotate the secret and the agent loses access immediately.
What we built
1Claw is a cloud HSM-backed secrets manager designed for this model. You create vaults, store secrets at paths (e.g. api-keys/stripe, db/production), and register agents. You attach policies that say "this agent can read these paths" — no more, no less. Agents authenticate with a short-lived JWT and call the API (or use our MCP server or OpenClaw plugin) to fetch only the secrets they're allowed to see.
Beyond the vault, we added features that keep keys out of the open: transaction signing so agents can submit on-chain transactions without ever seeing the private key; Shroud, a TEE proxy that redacts secrets from LLM traffic and can sign inside the enclave; and sharing — send secrets via time-limited links with optional passphrase and IP allowlists. You get a single place for credentials, audit, and safe agent integrations.
We built it because we were tired of pasting keys into chat and hoping they wouldn't leak. If you're building AI agents that need to call APIs, hit databases, or sign transactions, we think you should have a place to put credentials that isn't the context window.