Secrets API

UClaw provides a secure, encrypted storage mechanism for API keys and credentials, ensuring they are never exposed in logs, client bundles, or LLM prompt traces.

1. Storage Mechanism

Secrets are securely stored inside each environment's isolated secure key-value storage. They are namespace-prefixed as secret:<key> and are inaccessible to standard tools and logs.

2. Dynamic Secret Interpolation

When configuring HTTP tools or writing extensions, you can interpolate secrets into headers or request bodies using double curly braces:

json

{
  "headers": {
    "Authorization": "Bearer ${{ secrets.MY_SERVICE_API_KEY }}"
  }
}

3. Resolving Secrets

At runtime, UClaw performs a hierarchical lookup to resolve placeholders:

Agent Level: Searches for the key in the agent's environment KV storage.
App Level: If not found in the agent scope, UClaw falls back to querying the parent app environment KV storage.

This allows you to set global credentials once at the App level, while allowing individual agents to override keys if necessary.

To learn about extensions and loading MCP servers, proceed to the Extensions API.

Secrets API ​

1. Storage Mechanism ​

2. Dynamic Secret Interpolation ​

3. Resolving Secrets ​

Secrets API

1. Storage Mechanism

2. Dynamic Secret Interpolation

3. Resolving Secrets