OpenClaw API Key Setup: Claude, Supabase, Telegram, and More
How to configure API keys in OpenClaw. Covers Claude (Anthropic), Telegram bots, Supabase, and best practices for keeping credentials out of your codebase.
OpenClaw works out of the box once you add your Anthropic API key. Every other integration — Telegram, Discord, Supabase, email — needs its own credential. This guide covers where each key lives, how to add it, and how to keep secrets from leaking into git.
The Required Key: Anthropic (Claude)
OpenClaw uses Claude as its AI backend. Without an Anthropic API key, nothing runs.
Get your key:
- Go to console.anthropic.com
- Create an account (email + verification)
- Add a payment method — Anthropic requires credit card even for free tier
- Navigate to API Keys → Create Key
- Copy immediately — it's shown once
Add to OpenClaw config:
# In your OpenClaw config file or .env
ANTHROPIC_API_KEY=sk-ant-api03-...your-key...
Pricing context: Claude Sonnet costs roughly $3 per million input tokens and $15 per million output tokens. A typical day of heavy use — morning brief, a few writing tasks, research — costs $0.50-2.00. Haiku costs about 25x less for routine background tasks.
Telegram Bot Key
Telegram is the fastest channel for OpenClaw notifications. Setup takes 3 minutes.
Create a bot:
- Open Telegram and search for @BotFather
- Send
/newbot - Choose a name (display name) and username (must end in "bot")
- BotFather returns a token:
123456789:ABCdefGHIjklMNopQRstu
Get your chat ID:
- Send any message to your new bot
- Visit:
https://api.telegram.org/bot[YOUR_TOKEN]/getUpdates - Find
"chat":{"id":262207319}— that number is your chat ID
Add to OpenClaw:
TELEGRAM_BOT_TOKEN=123456789:ABCdefGHIjklMNopQRstu
TELEGRAM_CHAT_ID=262207319
Test it works:
curl -s "https://api.telegram.org/bot[TOKEN]/sendMessage?chat_id=[CHAT_ID]&text=OpenClaw+connected"
You should see the message appear in Telegram within 2 seconds. If not — check the token and chat ID first.
Discord Bot Key
Discord integration requires a bot token and server (guild) ID.
Create a Discord bot:
- Go to discord.com/developers/applications
- New Application → name it
- Bot section → Add Bot → Reset Token (copy it)
- Enable: Message Content Intent, Server Members Intent
- OAuth2 → URL Generator → select: bot, applications.commands, Send Messages, Read Messages
- Invite the bot to your server using the generated URL
Get server ID:
- Right-click your server name → Copy Server ID (requires Developer Mode in Discord settings)
Add to OpenClaw:
DISCORD_BOT_TOKEN=your-bot-token-here
DISCORD_GUILD_ID=your-server-id-here
DISCORD_CHANNEL_ID=your-channel-id-here
Supabase Key
Supabase provides the database and authentication layer for OpenClaw projects that need persistent data. The blog system, lead tracking, and analytics all run on Supabase.
Get your keys:
- Create project at supabase.com
- Settings → API
- Copy: Project URL, anon/public key, service_role key (secret — never expose publicly)
Add to OpenClaw:
SUPABASE_URL=https://your-project-id.supabase.co
SUPABASE_ANON_KEY=eyJhbGci...public-key...
SUPABASE_SERVICE_ROLE_KEY=eyJhbGci...secret-key...
The anon key is safe for client-side code. The service_role key bypasses Row Level Security — never put it in frontend code or public repos.
Google / Gmail API Key
For email integration, OpenClaw uses Gmail's OAuth flow or app passwords.
Using app passwords (simpler):
- Google Account → Security → 2-Step Verification (must be enabled)
- Security → App Passwords → Create
- Name it "OpenClaw" → Generate
- Copy the 16-character password
GMAIL_USER=your@gmail.com
GMAIL_APP_PASSWORD=abcd efgh ijkl mnop
The app password lets OpenClaw read and send email without OAuth complexity. Revocable independently of your main Google password.
Keeping Keys Out of Git
The most common security mistake in OpenClaw setups: committing a .env file to git. Once it hits GitHub, treat all those keys as compromised — even if you delete the file. Git history is permanent.
Prevention:
# .gitignore — add these lines
.env
.env.local
.env.production
*.env
secrets/
Verify your .env is ignored before pushing:
git check-ignore -v .env
If the command returns the file path — it's ignored. If it returns nothing — it's NOT ignored and you need to add it to .gitignore before committing.
Where to Store Secrets on a VPS
On a self-hosted OpenClaw VPS, separate secrets from code:
/root/
mrdelegate/ # Code repo (in git)
astro/
platform/
mrdelegate-secrets/ # NOT in git
anthropic.env
telegram.env
supabase.env
cloudflare.env
Load secrets at runtime:
bash -c 'set -a; source /root/mrdelegate-secrets/anthropic.env; set +a; node app.js'
This keeps your code repo clean. Even if someone gets read access to the repo, they get no credentials.
API Key Rotation Schedule
Keys you should rotate regularly:
- Anthropic key — rotate every 90 days or immediately after any suspected leak
- Telegram bot token — rotate if you ever log it accidentally; /mybots → select bot → API Token → Revoke current token
- Supabase service_role — rotate every 180 days or on staff changes
- Discord bot token — rotate after any bot compromise
Create a calendar reminder. Keys that never get rotated eventually leak via old screenshots, log files, or console history.
Verifying All Keys Are Set
Run this check after initial setup to confirm every required key is present:
#!/bin/bash
# validate-env.sh
required_vars=(
"ANTHROPIC_API_KEY"
"TELEGRAM_BOT_TOKEN"
"TELEGRAM_CHAT_ID"
"SUPABASE_URL"
"SUPABASE_ANON_KEY"
)
missing=0
for var in "${required_vars[@]}"; do
if [ -z "${!var}" ]; then
echo "MISSING: $var"
missing=$((missing + 1))
else
echo "OK: $var"
fi
done
echo ""
if [ $missing -gt 0 ]; then
echo "ERROR: $missing required variables missing"
exit 1
else
echo "All required variables present"
fi
Run this after every deploy, every env change, and every server migration. Silent missing variables are the most common cause of OpenClaw features silently not working.