Skip to main content

Secrets apply plan contract

This page defines the strict contract enforced by openclaw secrets apply. If a target does not match these rules, apply fails before mutating configuration.

Plan file shape

openclaw secrets apply --from <plan.json> expects a targets array of plan targets:

Supported target scope

Plan targets are accepted for supported credential paths in:

Target type behavior

General rule:
  • target.type must be recognized and must match the normalized target.path shape.
Compatibility aliases remain accepted for existing plans:
  • models.providers.apiKey
  • skills.entries.apiKey
  • channels.googlechat.serviceAccount

Path validation rules

Each target is validated with all of the following:
  • type must be a recognized target type.
  • path must be a non-empty dot path.
  • pathSegments can be omitted. If provided, it must normalize to exactly the same path as path.
  • Forbidden segments are rejected: __proto__, prototype, constructor.
  • The normalized path must match the registered path shape for the target type.
  • If providerId or accountId is set, it must match the id encoded in the path.
  • auth-profiles.json targets require agentId.
  • When creating a new auth-profiles.json mapping, include authProfileProvider.

Failure behavior

If a target fails validation, apply exits with an error like:
No writes are committed for an invalid plan.

Runtime and audit scope notes

  • Ref-only auth-profiles.json entries (keyRef/tokenRef) are included in runtime resolution and audit coverage.
  • secrets apply writes supported openclaw.json targets, supported auth-profiles.json targets, and optional scrub targets.

Operator checks

If apply fails with an invalid target path message, regenerate the plan with openclaw secrets configure or fix the target path to a supported shape above.