ipeaky

# ipeaky — Secure API Key Management

Keys are stored **directly in OpenClaw's native config** (`openclaw.json`) via `gateway config.patch`.
This means every skill that declares `primaryEnv` automatically picks up the key — zero manual wiring.

## Key Map — Service to Config Path

| Service | Config Path | primaryEnv |
|---------|------------|------------|
| OpenAI | `skills.entries.openai-whisper-api.apiKey` | OPENAI_API_KEY |
| ElevenLabs | `skills.entries.sag.apiKey` | ELEVENLABS_API_KEY |
| Brave Search | `tools.web.search.apiKey` | BRAVE_API_KEY |
| Gemini | `skills.entries.nano-banana-pro.apiKey` | GEMINI_API_KEY |
| Google Places | `skills.entries.goplaces.apiKey` | GOOGLE_PLACES_API_KEY |
| Notion | `skills.entries.notion.apiKey` | NOTION_API_KEY |
| ElevenLabs Talk | `talk.apiKey` | (direct) |
| Custom skill | `skills.entries.<skill-name>.apiKey` | (per skill) |
| Custom env | `skills.entries.<skill-name>.env.<VAR_NAME>` | (arbitrary) |

**Important:** Some keys serve multiple skills. OpenAI key is used by `openai-whisper-api`,
`openai-image-gen`, etc. ElevenLabs key is used by `sag` and `talk`. When storing, set ALL
relevant config paths for that key.

## Storing Keys (v4 — Single Paste, Zero Exposure) ⭐ PREFERRED

One popup. Paste everything. Regex parses. One save. One restart. Keys never touch chat or network.

```bash
bash {baseDir}/scripts/store_key_v4.sh "<SERVICE_NAME>" "<config_prefix>"
```

### Examples:
```bash
# X API keys (consumer key + secret + bearer in one paste)
bash {baseDir}/scripts/store_key_v4.sh "X API" "skills.entries.x-twitter.env"

# Any service — user pastes in any format:
#   consumer key: abc123
#   secret: xyz789
#   bearer token: AAAA...
```

The script:
1. Shows ONE macOS popup — user pastes all keys in any format
2. Local Python regex parses key-value pairs (no AI, no network)
3. Confirmation popup: "Found 3 keys: X, Y, Z — Store all?"
4. ONE `openclaw config set` batch → ONE gateway restart
5. Keys never appear in chat, lo...

# 🔑 ipeaky

**Secure API key management for [OpenClaw](https://openclaw.ai) agents.**

Keys never touch chat history, command arguments, or logs. Ever.

## Why

AI agents need API keys. Pasting them in chat is a security nightmare — they end up in conversation history, logs, and context windows. ipeaky solves this with a chat-native flow that keeps keys invisible end-to-end.

## How It Works

```
"Store my OpenAI key" → secure popup (hidden input) → config.patch → openclaw.json → done
```

1. **You say** "store my key" in chat
2. **Native macOS dialog** pops up with a hidden input field (dots, not plaintext)
3. **Key pipes through stdout** to OpenClaw's `gateway config.patch`
4. **Stored in `openclaw.json`** — OpenClaw's native config, auto-injected into all skills via `primaryEnv`
5. **Gateway reloads** — every skill picks up the key immediately, zero manual wiring

Keys never appear in chat, shell history, process lists, or logs.

## Scripts

### `secure_input_mac.sh` — Secure input popup (macOS)
```bash
bash scripts/secure_input_mac.sh OPENAI_API_KEY
# → Native macOS dialog with hidden input
# → Outputs key to stdout (captured by agent, never displayed)
```

### `test_key.sh` — Validate a key against the provider API
```bash
echo "$KEY" | bash scripts/test_key.sh openai
# → OK: OpenAI key (sk-7****) is valid.
```

Reads key from **stdin only**. Output always uses masked values (first 4 chars + `****`).

**Other operations** (list, delete) are handled agent-side via `gateway config.get` and `gateway config.patch` — no extra scripts needed.

## Supported Services

| Service | Test Endpoint | Auto-test |
|---------|--------------|-----------|
| OpenAI | `/v1/models` | ✅ |
| ElevenLabs | `/v1/user` | ✅ |
| Anthropic | `/v1/messages` | ✅ |
| Brave Search | `/res/v1/web/search` | ✅ |
| Gemini | `/v1/models` | ✅ |
| Any service | — | stored, no auto-test |

## Storage Model

ipeaky v3 stores keys in **OpenClaw's native config** (`openclaw.json`) via `gateway confi...