Open ClawOpen Claw

OpenClaw Default API Key Not Changed — Security Risk Fix (2026)

Using the default API key in OpenClaw is a critical security risk. Learn how to generate and rotate API keys to protect your instance.

Why This Is Dangerous

OpenClaw's default API key is publicly known — it's in the documentation, GitHub repositories, and tutorial videos. If you deploy OpenClaw without changing this key, anyone can control your agent, access conversations, and use your AI API credits.

How to Fix It

1. Generate a Secure Key

# Generate a 32-byte random hex key
openssl rand -hex 32
# Output: a1b2c3d4e5f6...64 characters

# Or with Node.js
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

2. Update Your Configuration

{
  "apiKey": "your-new-secure-key-here",
  "apiKeys": [
    {
      "key": "key-for-telegram-bot",
      "name": "Telegram",
      "permissions": ["chat", "skills"]
    },
    {
      "key": "key-for-admin-panel",
      "name": "Admin",
      "permissions": ["*"]
    }
  ]
}

3. Use Environment Variables (More Secure)

# In .env or docker-compose.yml
OPENCLAW_API_KEY=your-new-secure-key-here

# Never commit API keys to version control!
echo ".env" >> .gitignore

4. Verify the Change

# This should FAIL with 401 Unauthorized
curl -H "Authorization: Bearer default-key" http://localhost:3000/api/health

# This should SUCCEED
curl -H "Authorization: Bearer your-new-key" http://localhost:3000/api/health

Best Practices for API Key Management

  • Never commit API keys to Git repositories
  • Use different keys for different environments (dev, staging, prod)
  • Rotate keys every 90 days
  • Use environment variables or a secrets manager
  • Monitor API key usage for anomalies
  • Immediately revoke compromised keys

Frequently Asked Questions

What is the default OpenClaw API key?

OpenClaw ships with a placeholder API key for initial setup. This key is publicly documented and should never be used in production. Change it immediately after installation.

How do I generate a secure API key?

Use a cryptographically secure random generator. On Linux/macOS: openssl rand -hex 32. On any system with Node.js: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))".

How often should I rotate API keys?

Rotate API keys every 90 days as a best practice. Also rotate immediately if you suspect a key has been compromised, if a team member leaves, or if a key was accidentally committed to version control.

Can I use multiple API keys?

Yes, OpenClaw supports multiple API keys. This allows you to assign different keys to different services (Telegram bot, WhatsApp, web interface) and revoke them independently.

Related Articles

Unique API Keys, Auto-Generated

Our managed deployment generates unique API keys automatically. No default keys to worry about.

Get Started Securely
← Back to blog