API keys and credentials stored with AES-256 encryption at rest, only decrypted and injected into the agent at runtime.
Your AI agent needs API keys to access LLM providers, tool integrations, and external services. These keys are sensitive — a leaked API key can result in unauthorized access and financial damage.
Encrypted secrets means these keys are stored encrypted in the database, never in plaintext. They are decrypted only at runtime when the agent needs them, and never exposed in logs, audit trails, or the dashboard.
API key leaks are one of the most common security incidents. If your agent's keys are stored in plaintext (environment variables, config files), anyone with access to the server can steal them.
Clawctl encrypts all API keys and credentials with AES-256 at rest. Keys are injected at runtime and never appear in logs or the UI. The setup wizard handles secure key entry.
Try Clawctl — 60 Second DeployAES-256 encryption at rest. TLS in transit.
No. Keys are write-only in the dashboard. You can update or delete them, but never read them back.
Update the key in the Clawctl dashboard. The agent picks up the new key on next restart.
Credential Rotation
The practice of periodically replacing API keys and secrets used by an AI agent, limiting the damage window if a key is compromised.
BYOK (Bring Your Own Key)
A model where you provide your own LLM API key (Anthropic, OpenAI, etc.) instead of the platform providing one, giving you full cost control and model choice.
Agent Isolation
The separation of AI agents into isolated environments so that one compromised agent cannot affect others.
Prompt Injection
An attack where malicious input manipulates an AI agent into ignoring its instructions and performing unintended actions.