Credential Rotation

View as Markdown

NemoClaw uses different rotation paths for inference, messaging, and web search credentials. Inference credentials can normally be updated while reusing the existing sandbox. Messaging tokens and web search settings require a rebuild or recreation because their configuration is applied when the sandbox image starts.

Before You Start

List the provider names registered with the OpenShell gateway.

$nemoclaw credentials list

The output is authoritative for commands that accept an OpenShell provider name. An inference provider is commonly named nvidia-prod, while an onboarded web search provider is commonly named <sandbox>-brave-search or <sandbox>-tavily-search. Provider names can differ with your selected inference route and sandbox configuration.

Per-sandbox messaging bridge names are not resettable credentials. Use channels add, channels remove, or channels stop for messaging integrations instead of passing a bridge name to credentials reset.

CredentialSupported rotation pathSandbox impact
Inference API keyRerun onboarding with the replacement valueThe existing sandbox can normally be reused unless onboarding detects unrelated configuration drift
Slack, Telegram, or Discord tokenRe-add the channel, then rebuildRebuild required
Brave or Tavily web search keyRerun onboarding with the selected web search providerSandbox recreation required

Rotate an Inference API Key

Supply the replacement key and rerun onboarding for the existing sandbox. Read replacement credentials silently on a trusted host so their values do not enter shell history or terminal scrollback. Unset each variable after the command finishes.

$printf 'New NVIDIA inference API key: ' >&2
$IFS= read -r -s NVIDIA_INFERENCE_API_KEY
$printf '\n' >&2
$export NVIDIA_INFERENCE_API_KEY
$nemoclaw onboard --name <sandbox> \
> --non-interactive --yes --yes-i-accept-third-party-software
$unset NVIDIA_INFERENCE_API_KEY

Onboarding updates the selected OpenShell inference provider and reuses the sandbox when its recorded configuration is still compatible. If onboarding detects other configuration drift, review the requested rebuild or recreation before continuing.

For an interactive rotation, export the replacement key and run nemoclaw onboard --name <sandbox> without the non-interactive flags.

Rotate a Messaging Token

Re-adding an existing channel overwrites its stored credentials. The replacement takes effect only after a rebuild because messaging providers are resolved when the sandbox starts.

Slack

Slack requires both replacement tokens.

$printf 'New Slack bot token: ' >&2
$IFS= read -r -s SLACK_BOT_TOKEN
$printf '\n' >&2
$printf 'New Slack app token: ' >&2
$IFS= read -r -s SLACK_APP_TOKEN
$printf '\n' >&2
$export SLACK_BOT_TOKEN SLACK_APP_TOKEN
$NEMOCLAW_NON_INTERACTIVE=1 nemoclaw <sandbox> channels add slack
$unset SLACK_BOT_TOKEN SLACK_APP_TOKEN
$nemoclaw <sandbox> rebuild --yes

Telegram

$printf 'New Telegram bot token: ' >&2
$IFS= read -r -s TELEGRAM_BOT_TOKEN
$printf '\n' >&2
$export TELEGRAM_BOT_TOKEN
$NEMOCLAW_NON_INTERACTIVE=1 nemoclaw <sandbox> channels add telegram
$unset TELEGRAM_BOT_TOKEN
$nemoclaw <sandbox> rebuild --yes

Discord

$printf 'New Discord bot token: ' >&2
$IFS= read -r -s DISCORD_BOT_TOKEN
$printf '\n' >&2
$export DISCORD_BOT_TOKEN
$NEMOCLAW_NON_INTERACTIVE=1 nemoclaw <sandbox> channels add discord
$unset DISCORD_BOT_TOKEN
$nemoclaw <sandbox> rebuild --yes

Omit NEMOCLAW_NON_INTERACTIVE=1 and the token variables if you want channels add to prompt for replacement values and offer the rebuild interactively.

Rotate a Web Search Key

Web search provider configuration and credential attachment are baked into the sandbox image. Select the provider again and recreate the sandbox so the replacement becomes active.

OpenClaw supports Brave or Tavily through NemoClaw onboarding.

$printf 'New Brave API key: ' >&2
$IFS= read -r -s BRAVE_API_KEY
$printf '\n' >&2
$export BRAVE_API_KEY
$NEMOCLAW_WEB_SEARCH_PROVIDER=brave \
> nemoclaw onboard --fresh --name <sandbox> --recreate-sandbox \
> --non-interactive --yes --yes-i-accept-third-party-software
$unset BRAVE_API_KEY

To rotate a Tavily key instead, read and export TAVILY_API_KEY silently and select NEMOCLAW_WEB_SEARCH_PROVIDER=tavily.

Remove and Re-register a Provider Credential

Use credentials reset only when you need to remove an inference or web search provider before its replacement is available. Run nemoclaw credentials list first, then pass the exact provider name from that output.

$nemoclaw credentials reset nvidia-prod --yes

Removing a provider interrupts requests that depend on it. Re-register an inference provider with the inference rotation command above. For web search, repeat the matching web search onboarding flow and recreate the sandbox.

Do not pass a messaging bridge name to credentials reset. Use the messaging rotation flow above to replace a token, or nemoclaw <sandbox> channels remove <channel> to retire the integration.

Emergency Rotation After Key Compromise

If a credential was exposed, act in this order:

  1. Revoke the exposed credential at the upstream provider before relying on any local cleanup.

  2. For inference or web search, remove the exact provider shown by nemoclaw credentials list if a replacement is not immediately available.

  3. For messaging, use channels remove to retire the integration or re-add the channel with a replacement token and rebuild.

  4. Issue a replacement credential at the upstream provider.

  5. Follow the matching rotation procedure on this page.

  6. Complete a real request through the affected inference, search, or messaging integration.

  7. Review recent sandbox logs for unexpected authentication failures or use of the retired credential:

    $nemoclaw <sandbox> logs --since 24h | grep -i "auth\|401\|403\|forbidden"

Rotate an Inference Key in CI/CD

Supply credentials through the CI system’s secret store and inject them as environment variables. Non-interactive onboarding must include the third-party software acceptance flag.

1- name: Rotate inference key
2 env:
3 NVIDIA_INFERENCE_API_KEY: ${{ secrets.NVIDIA_INFERENCE_API_KEY }}
4 run: >-
5 nemoclaw onboard --name <sandbox>
6 --non-interactive --yes --yes-i-accept-third-party-software

Do not commit credential values or host-side NemoClaw state to the repository. Plan for rebuild downtime when automating messaging rotation and recreation downtime when automating web search rotation.

Verify the Replacement

nemoclaw credentials list confirms that a provider exists, but it does not reveal or validate the stored value. nemoclaw status performs reachability checks without sending cloud API keys, so even an HTTP 401 or 403 can count as reachable. nemoclaw inference get reports the active route and does not authenticate a model request.

Complete a real request through the rotated integration before declaring the rotation successful.

Verify an inference key by running an isolated OpenClaw turn and confirming that it returns the requested content.

$nemoclaw <sandbox> agent --session-id credential-check \
> -m "Reply with only: credential-check-ok"

To verify messaging, send a test message from an allowed account and confirm the sandbox receives it and responds. To verify web search, ask the agent to perform a search and confirm that the tool returns current results without an authentication error.