Strake
all systems normal sign in create your endpoint
sign in create your endpoint
all systems normal
openclaw

Your OpenClaw agent doesn't need
your real API keys.

Strake sits between OpenClaw and your AI providers. Your real keys stay in an encrypted vault. OpenClaw gets a disposable URL that works exactly the same — and you can revoke it anytime.

Create your first endpoint Read the docs
/01 the problem

How many places have you pasted your API key?

Your gateway config. A Discord channel skill. A cron job. A test script. That second instance on a Raspberry Pi. Every copy is a leak surface. And if you need to revoke that key, every single one breaks at the same time.

/02 how it works

One config change. That's the integration.

01

Store your real key in Strake

Your Anthropic, OpenAI, or any provider key goes into an encrypted vault. It never touches the machines running your agents.

02

Paste a Strake URL into your OpenClaw config

Same API calls, same responses. OpenClaw never knows the difference — it's a one-field change in your config file.

03

Revoke one agent without breaking the rest

Each instance gets its own Strake token. Revoke independently — your real API key is never touched, and everything else keeps running.

/03 the plugin

One command to install. Two env vars to configure.

The official @strakelabs/openclaw-strake plugin registers Strake as a native model provider inside OpenClaw. Install it once, then use any upstream model via a disposable Strake token.

01

Install the plugin

One command pulls it from the OpenClaw plugin registry — no npm install needed.

openclaw plugins install @strakelabs/openclaw-strake
02

Point it at your Strake endpoint

Create an endpoint at app.strake.sh, then export the URL and bearer token.

# set once — add to your shell profile to persist
export STRAKE_BASE_URL=https://abc123.strake.sh
export STRAKE_TOKEN=your-bearer-token
03

Use any model through the strake/ prefix

Strake passes the model ID through unchanged — every model your upstream provider supports works.

# OpenAI, Anthropic, Gemini — whatever your upstream is
openclaw --model strake/gpt-4o
openclaw --model strake/claude-opus-4-7
openclaw --model strake/gemini-2.0-flash
04

Or use strake run for ephemeral tokens

The Strake CLI mints a short-lived token, injects the env vars, launches OpenClaw, then revokes the token when the session ends. Nothing lingers.

strake auth login
strake endpoint create openai
 
# each session gets a fresh token, auto-revoked on exit
strake run my-proxy -- openclaw
View on GitHub ↗ npm ↗
/04 the change

One config change. Zero tokens exposed.

before real key in openclaw.json
// Every instance has a copy of this.
"anthropic": {
  "apiKey": "sk-ant-real-key..."
}
after strake endpoint, key stays in the vault
// Key never leaves the vault.
"anthropic": {
  "apiKey": "ct_live_7a3f...",
  "baseURL": "https://abc.strake.sh/v1"
}
/05 use cases

Built for how OpenClaw actually gets used.

Multiple OpenClaw instances

Running on a Mac Mini, a Raspberry Pi, and a cloud VPS? Each gets its own Strake token. Revoke one without touching the others.

Sharing skills and configs

Share your OpenClaw setup without sharing your real credentials. Recipients use their own Strake endpoints for their own keys.

Kill switch

Something feels off? Revoke the token instantly. Your real API key stays untouched — no provider dashboard needed.

/06 ship it

Let OpenClaw do its thing.
Keep your keys out of it.

Your real API keys stay in the vault. OpenClaw gets a disposable URL. Leaked token? Revoke in seconds.

Get started Read the docs