Credential Rotation
NemoClaw uses different rotation paths for inference, messaging, and web search credentials. Inference credentials can normally be updated while reusing the existing sandbox. Messaging tokens and web search settings require a rebuild or recreation because their configuration is applied when the sandbox image starts.
Before You Start
List the provider names registered with the OpenShell gateway.
The output is authoritative for commands that accept an OpenShell provider name.
An inference provider is commonly named nvidia-prod, while an onboarded web search provider is commonly named <sandbox>-brave-search or <sandbox>-tavily-search.
Provider names can differ with your selected inference route and sandbox configuration.
Per-sandbox messaging bridge names are not resettable credentials.
Use channels add, channels remove, or channels stop for messaging integrations instead of passing a bridge name to credentials reset.
Rotate an Inference API Key
Supply the replacement key and rerun onboarding for the existing sandbox. Read replacement credentials silently on a trusted host so their values do not enter shell history or terminal scrollback. Unset each variable after the command finishes.
Onboarding updates the selected OpenShell inference provider and reuses the sandbox when its recorded configuration is still compatible. If onboarding detects other configuration drift, review the requested rebuild or recreation before continuing.
For an interactive rotation, export the replacement key and run nemohermes onboard --name <sandbox> without the non-interactive flags.
Rotate a Messaging Token
Re-adding an existing channel overwrites its stored credentials. The replacement takes effect only after a rebuild because messaging providers are resolved when the sandbox starts.
Slack
Slack requires both replacement tokens.
Telegram
Discord
Omit NEMOCLAW_NON_INTERACTIVE=1 and the token variables if you want channels add to prompt for replacement values and offer the rebuild interactively.
Rotate a Web Search Key
Web search provider configuration and credential attachment are baked into the sandbox image. Select the provider again and recreate the sandbox so the replacement becomes active.
Hermes uses Tavily for NemoClaw-managed web search. Brave is not a supported Hermes web search backend.
Remove and Re-register a Provider Credential
Use credentials reset only when you need to remove an inference or web search provider before its replacement is available.
Run nemohermes credentials list first, then pass the exact provider name from that output.
Removing a provider interrupts requests that depend on it. Re-register an inference provider with the inference rotation command above. For web search, repeat the matching web search onboarding flow and recreate the sandbox.
Do not pass a messaging bridge name to credentials reset.
Use the messaging rotation flow above to replace a token, or nemohermes <sandbox> channels remove <channel> to retire the integration.
Emergency Rotation After Key Compromise
If a credential was exposed, act in this order:
-
Revoke the exposed credential at the upstream provider before relying on any local cleanup.
-
For inference or web search, remove the exact provider shown by
nemohermes credentials listif a replacement is not immediately available. -
For messaging, use
channels removeto retire the integration or re-add the channel with a replacement token and rebuild. -
Issue a replacement credential at the upstream provider.
-
Follow the matching rotation procedure on this page.
-
Complete a real request through the affected inference, search, or messaging integration.
-
Review recent sandbox logs for unexpected authentication failures or use of the retired credential:
Rotate an Inference Key in CI/CD
Supply credentials through the CI system’s secret store and inject them as environment variables. Non-interactive onboarding must include the third-party software acceptance flag.
Do not commit credential values or host-side NemoClaw state to the repository. Plan for rebuild downtime when automating messaging rotation and recreation downtime when automating web search rotation.
Verify the Replacement
nemohermes credentials list confirms that a provider exists, but it does not reveal or validate the stored value.
nemohermes status performs reachability checks without sending cloud API keys, so even an HTTP 401 or 403 can count as reachable.
nemohermes inference get reports the active route and does not authenticate a model request.
Complete a real request through the rotated integration before declaring the rotation successful.
Verify an inference key by forwarding the Hermes API and making a chat-completions request with the onboarded model.
To verify messaging, send a test message from an allowed account and confirm the sandbox receives it and responds. To verify web search, ask the agent to perform a search and confirm that the tool returns current results without an authentication error.
Related Pages
- Credential Storage: how NemoClaw stores and protects credentials.
- Runtime Controls: which changes take effect at runtime and which require recreation.
- Security Best Practices: recommended key scopes and operational hygiene.
- Switch Inference Providers: change the inference provider rather than rotate its key.