> ## Documentation Index
> Fetch the complete documentation index at: https://docs.claw-link.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> How ClawLink keeps your credentials and data secure

ClawLink is designed so that provider credentials stay off your machine and out of your codebase. Hosted connection flows and tool execution happen in ClawLink's infrastructure. OpenClaw keeps only the local ClawLink device credential it needs to authenticate to your account.

## Credential storage

Provider API keys and OAuth tokens are encrypted at rest using AES-256-GCM. ClawLink never stores or exposes those provider credentials in plaintext. When your agent makes a tool call, the provider credential is decrypted only at the moment of execution.

## Your machine stays clean

Because ClawLink proxies provider calls through its hosted infrastructure, you do not need to put third-party API keys in your `.env` files or source code for normal usage. Connect your apps once from the dashboard, and ClawLink handles the provider side.

## OpenClaw authentication

The recommended setup is **browser pairing**. Pairing creates a local ClawLink credential in the format `cllk_live_...` and stores it in `~/.openclaw/openclaw.json` for the OpenClaw plugin.

This local credential authenticates OpenClaw to ClawLink. It is not a provider credential like your Google or Stripe token.

<Warning>
  The locally stored ClawLink credential provides access to your connected apps through your account. Never share it or commit it to source control. If you believe it has been exposed, revoke it immediately in **Settings > API Keys** and pair again.
</Warning>

### API key best practices

* Prefer browser pairing over manual key entry
* Use manually created keys only for advanced fallback setups or debugging
* Use one key per device or workflow when you must create keys manually
* Revoke old keys you no longer need instead of reusing them indefinitely

## If your API key is compromised

If you suspect a ClawLink credential has been exposed or misused, act immediately:

<Steps>
  <Step title="Go to Settings > API Keys">
    Open the [ClawLink dashboard](https://claw-link.dev/dashboard) and navigate to **Settings > API Keys**.
  </Step>

  <Step title="Generate a new key">
    Click **Create API key** if you need a replacement manual key.
  </Step>

  <Step title="Revoke the exposed key">
    Delete the old key so it cannot be used anymore.
  </Step>

  <Step title="Repeat setup on the affected device">
    If the exposed key came from browser pairing, run pairing again in OpenClaw. If it came from a manual plugin settings UI, paste the new raw key there.
  </Step>
</Steps>

<Note>
  Revoking a key invalidates it immediately. Any OpenClaw client still using that key will stop working until you pair again or update the manual settings field.
</Note>

## Transport security

All communication between your agent and ClawLink, and between ClawLink and third-party APIs, uses HTTPS. Credentials and request payloads are never transmitted over unencrypted connections.

## Account security controls

Use **Settings > Security** to open the hosted account management screen for password, email, connected sign-in methods, and any additional protections your sign-in method supports.
