What is the OpenClaw configure API key destruction bug?

Running openclaw configure in v2026.2.6-3 writes __OPENCLAW_REDACTED__ placeholder strings to the real config file instead of preserving actual values, destroying all API keys, tokens, and even numeric configuration values.

How do I fix destroyed API keys in OpenClaw?

Restore from a backup of your openclaw.json file. If no backup exists, you will need to re-enter all API keys manually. Avoid running openclaw configure until the bug is patched.

Does the OpenClaw Studio GUI have the same bug?

Yes. GitHub issue #13058 reports that opening OpenClaw Studio causes it to read, redact, and write back the config — corrupting API keys and preventing the gateway from starting.

Which OpenClaw versions are affected by the redacted config bug?

The bug was first reported in v2026.2.6-3 and affects Studio GUI, LaunchAgent plist generation, and maxTokens handling across multiple versions. Check GitHub issues #11268, #13058, #13340, and #16042.

How do I protect my OpenClaw API keys?

Back up your openclaw.json before any configure or upgrade operation. Use external secrets management (introduced in v2026.2.26) to store keys outside the main config file.

← Back to dashboard

clawsmith.com/signal/openclaw-configure-destroys-api-keys-redacted-placeholder

⚠ IssueWide OpenLive

OpenClaw Configure Writes __OPENCLAW_REDACTED__ to Real Config Files — Destroys All API Keys

Running openclaw configure in v2026.2.6-3 replaces real API keys, tokens, and numeric values with __OPENCLAW_REDACTED__ placeholder in the config file. Same bug affects Studio GUI (#13058), LaunchAgent plist (#13340), and maxTokens (#16042). Redaction logic meant for display is incorrectly applied during write operations.

Product Idea from this Signal

A file protection agent that guards OpenClaw config files from redaction bugs that destroy API keys and infostealers that steal them

145 ▲

Running openclaw configure writes __OPENCLAW_REDACTED__ placeholders to your real config file, permanently destroying all API keys. The Studio GUI does the same. Meanwhile, RedLine, Lumma, and Vidar infostealers now specifically target OpenClaw config paths as high-value credential stores. Your configs face threats from both directions: OpenClaw's own tools corrupt them, and malware harvests them. This tool creates an encrypted, versioned vault for all OpenClaw credentials, intercepts config writes to prevent redaction damage, and monitors for infostealer access patterns.

SECURITYCLIDEVTOOLCREDENTIAL-MANAGEMENT

UnderservedView Opportunity →