Credential Management

XClaw handles a large number of third-party credentials — API keys, OAuth tokens, cloud platform secrets. The credential management system aims to keep this sensitive information both secure and convenient.

All credentials are encrypted and stored locally. Encryption uses OS-level keychain services (macOS Keychain, Windows Credential Store) rather than custom encryption schemes. This means credential security is on par with your system password.

OAuth connections require token refresh. XClaw handles this automatically — when a token is about to expire, it silently obtains a new Access Token using the Refresh Token in the background. You won't see "token expired, please re-login" interruptions.

OAuth providers supported include: Anthropic (Claude Pro/Max), Google, ChatGPT Plus, Slack, GitHub, Microsoft. Each connection is managed independently — disconnecting one doesn't affect others.

For API key credentials, XClaw only displays the last few characters in the UI — the full value never appears on screen. Credentials also never appear in log files.

How to

Credential management is centralized in Settings > AI Models and Settings > MCP Connections. API keys and tokens entered when adding models or MCP servers are automatically encrypted and stored.

Want to check saved credentials? You can see the last few characters in the corresponding connection config (full values are hidden for security). Need to update an expired or compromised API key? Click the "Edit" button on the connection, paste the new key, and save.

OAuth connections usually require no manual management — XClaw refreshes tokens automatically. If an OAuth connection stops working someday (perhaps you revoked authorization on the provider's side), click "Re-authorize" in the connection list to go through the OAuth flow again.

Want to disconnect a connection? Find it in the list and click "Disconnect." This only removes the local credential — it won't affect your account with the provider or any other connections.