Skip to main content

Secrets apply plan contract

This page defines the strict contract enforced by openclaw secrets apply. If a target does not match these rules, apply fails before mutating config.

Plan file shape

openclaw secrets apply --from <plan.json> expects a targets array of plan targets: 
{
  version: 1,
  protocolVersion: 1,
  targets: [
    {
      type: "models.providers.apiKey",
      path: "models.providers.openai.apiKey",
      pathSegments: ["models", "providers", "openai", "apiKey"],
      providerId: "openai",
      ref: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
    },
  ],
}

Allowed target types and paths

target.typeAllowed target.path shapeOptional id match rule
models.providers.apiKeymodels.providers.<providerId>.apiKeyproviderId must match <providerId> when present
skills.entries.apiKeyskills.entries.<skillKey>.apiKeyn/a
channels.googlechat.serviceAccountchannels.googlechat.serviceAccountaccountId must be empty/omitted
channels.googlechat.serviceAccountchannels.googlechat.accounts.<accountId>.serviceAccountaccountId must match <accountId> when present

Path validation rules

Each target is validated with all of the following:
  • type must be one of the allowed target types above.
  • path must be a non-empty dot path.
  • pathSegments can be omitted. If provided, it must normalize to exactly the same path as path.
  • Forbidden segments are rejected: __proto__, prototype, constructor.
  • The normalized path must match one of the allowed path shapes for the target type.
  • If providerId / accountId is set, it must match the id encoded in the path.

Failure behavior

If a target fails validation, apply exits with an error like: 
Invalid plan target path for models.providers.apiKey: models.providers.openai.baseUrl
No partial mutation is committed for that invalid target path.

Ref-only auth profiles and implicit providers

Implicit provider discovery also considers auth profiles that store refs instead of plaintext credentials:
  • type: "api_key" profiles can use keyRef (for example env-backed refs).
  • type: "token" profiles can use tokenRef.
Behavior:
  • For API-key providers (for example volcengine, byteplus), ref-only profiles can still activate implicit provider entries.
  • For github-copilot, if the profile has no plaintext token, discovery will try tokenRef env resolution before token exchange.

Operator checks

# Validate plan without writes
openclaw secrets apply --from /tmp/openclaw-secrets-plan.json --dry-run

# Then apply for real
openclaw secrets apply --from /tmp/openclaw-secrets-plan.json
If apply fails with an invalid target path message, regenerate the plan with openclaw secrets configure or fix the target path to one of the allowed shapes above.