Strake
OpenClaw provider plugin — route inference through a Strake encrypted proxy endpoint.
Install
openclaw plugins install clawhub:@strakelabs/openclaw-strake@strakelabs/openclaw-strake
OpenClaw shouldn't need your real API keys. Now it doesn't.
This plugin registers Strake as a model provider in OpenClaw. Your actual OpenAI, Anthropic, or other API keys stay encrypted in the Strake vault. OpenClaw gets a disposable proxy URL and a bearer token — independently revocable, never stored in plaintext on your machine.
How it works
OpenClaw → Strake endpoint → your real API key → upstream provider
↑
disposable bearer token
(revoke it anytime without
touching the real key)
Strake sits in the middle. If the token leaks, rotate it in seconds. The real key never moves.
Install
openclaw plugins install @strakelabs/openclaw-strake
Setup
1. Create a Strake endpoint at app.strake.sh — pick your provider, paste your API key, grab the endpoint URL and bearer token.
2. Set the environment variables:
export STRAKE_BASE_URL=https://abc123.strake.sh
export STRAKE_TOKEN=your-bearer-token
Add these to your shell profile or CI secrets. The token is what you generated in the Strake dashboard — not your real API key.
3. Onboard:
openclaw onboard
Note: Pass
STRAKE_TOKENas an env var rather than--strake-tokenon the command line — OpenClaw detects it automatically at onboard time. The--strake-tokenflag isn't available until after the plugin is fully loaded.
4. Run:
openclaw --model strake/gpt-4o
openclaw --model strake/claude-3-5-sonnet-20241022
openclaw --model strake/gemini-2.0-flash
Any model ID your upstream provider accepts works — Strake proxies it through unchanged.
Why bother?
| Without Strake | With Strake |
|---|---|
Real key in ~/.openclaw/config | Disposable token only |
| Key leak = full account exposure | Token leak = revoke in seconds |
| One key, all your tools share it | Per-tool tokens, isolated blast radius |
| Rotate key = update every tool | Rotate key = zero config changes |
Environment variables
| Variable | Required | Description |
|---|---|---|
STRAKE_BASE_URL | Yes | Your Strake endpoint URL (e.g. https://abc123.strake.sh) |
STRAKE_TOKEN | Yes | Bearer token from your Strake endpoint |
Both are set by the Strake CLI automatically if you use strake run:
strake run my-proxy -- openclaw
No manual env setup needed — the token is minted, injected, and revoked when OpenClaw exits.
Using with the Strake CLI
If you have the Strake CLI installed, the cleanest workflow is:
# One-time setup
strake auth login
strake endpoint create openai
# Every session
strake run my-proxy -- openclaw
strake run mints an ephemeral token, sets STRAKE_BASE_URL and STRAKE_TOKEN, launches OpenClaw, and revokes the token on exit. Nothing lingers.
Troubleshooting
plugins.allow is empty warning
OpenClaw warns when it auto-loads a non-bundled plugin without an explicit allowlist. This is informational — the plugin still loads and works. To silence it, add strake to your OpenClaw config:
// ~/.openclaw/openclaw.json
{
"plugins": {
"allow": ["strake"]
}
}
Gateway agent failed; falling back to embedded
Gateway agent failed; falling back to embedded: Error: gateway closed (1006 abnormal closure)
Gateway target: ws://127.0.0.1:18789
This is expected if you're not running a local OpenClaw gateway process. OpenClaw tries the local gateway first, then falls back to embedded mode automatically. Inference through Strake works in both modes — no action needed.
No reply from agent in agent mode
If you run openclaw agent and get "No reply from agent", the model responded but didn't invoke any tools. This is an OpenClaw agent behavior — the embedded fallback works best for direct inference commands rather than open-ended agent tasks. Try:
# Direct inference — works reliably
openclaw --model strake/gpt-4o --message "your prompt"
# Agent mode — works when the task requires tool use
openclaw agent --agent main --message "search for X and summarize"
Links
MIT © Dalton Solutions, LLC