Can RunTheAgents staff see my API key?

No. API keys are encrypted at rest and only decrypted by your running instance when making API calls. Administrative staff cannot view decrypted keys. The system is designed so that key material is only accessible to the process that needs it.

What happens to my API key if I delete my instance?

When you delete your instance, all associated data, including your encrypted API key, is permanently removed. We recommend also revoking the key directly with your AI provider as an additional precaution.

Should I set spending limits on my API key?

Yes, absolutely. This is strongly recommended regardless of which platform you use. Setting a monthly spending limit with your API provider (Anthropic or OpenAI) protects you from unexpected charges due to runaway tasks or, in the worst case, unauthorized access.

Feature

Your API Keys, Encrypted and Protected

Your Anthropic or OpenAI API key is sensitive. RunTheAgents encrypts it at rest and ensures it is only ever used by your isolated instance.

Deploy OpenClaw See How It Works

Why API Key Security Matters

Your API key is essentially a credit card for AI services. Anyone with access to your key can make API calls on your account, potentially running up significant charges. Compromised API keys are one of the most common security incidents in the AI space.

RunTheAgents takes API key security seriously. Your key is encrypted at rest using industry-standard encryption. It is never stored in plain text, never logged, never shared with other users, and only decrypted when your specific instance needs to make an API call to your chosen provider.

This approach means that even in the unlikely event of a data breach, your API keys remain protected by encryption rather than being immediately usable.

Security Measures in Place

Encryption at Rest

Your API key is encrypted before it is stored. It is never written to disk or database in plain text. Standard encryption algorithms protect your credentials from unauthorized access.

Instance Isolation

Your API key is only accessible to your specific instance. No other user's instance, no shared process, and no administrative tool can access your decrypted key.

No Plain-Text Logging

API keys are never included in log files, error reports, or monitoring data. Even internal system logs mask or exclude credential information.

You Control the Key

You can rotate, revoke, or change your API key at any time through your dashboard. If you suspect compromise, change the key instantly. You can also revoke the key directly with your AI provider.

Best Practices for API Key Management

Protecting your credentials is a shared responsibility

Use Dedicated API Keys

Create a separate API key specifically for your RunTheAgents instance. Do not reuse keys across multiple services. If one service is compromised, your other services remain unaffected.

Set Usage Limits

Both Anthropic and OpenAI allow you to set spending limits on your API keys. Configure a monthly limit that matches your expected usage. This prevents runaway costs even if a key is somehow compromised.

Monitor Your Usage

Check your API provider's dashboard periodically to verify usage patterns match your expectations. Unexpected spikes could indicate unauthorized access.

Rotate Keys Periodically

As a security best practice, generate a new API key every few months and update it in your RunTheAgents dashboard. Revoke the old key after confirming the new one works.

Security by the Numbers

AES-256

Industry-standard encryption for stored keys

Plain-text API keys in storage or logs

100%

Instance isolation between users

Instant

Key rotation through your dashboard

Frequently Asked Questions

Bring Your Own API Key AI Security Best Practices Isolated Instances

Ready to get started?

Deploy your own OpenClaw instance in under 60 seconds. No VPS, no Docker, no SSH. Just your personal AI assistant, ready to work.

Deploy OpenClaw View Pricing

Starting at $39.95/month. Everything included. 3-day money-back guarantee.