Blog
News, tutorials, and best practices for secrets management.
Approval Webhooks for OpenClaw Agents — Get Pinged When Something Needs Your Attention
Your OpenClaw agent is blocked waiting for approval and nobody refreshed the dashboard. The new mcp.approval_required and mcp.approval_decided webhook events fix that — Slack, Discord, PagerDuty, anything HTTP.
Approve OpenClaw Tool Calls from Telegram
Your CTO is on a plane and the only device they have is a phone. Tool-call approvals via Telegram inline keyboards turn that bottleneck into a one-tap decision — with full audit trail and per-org bot isolation.
Getting Started with OpenClaw and secr
A 5-minute walkthrough: install @secr/openclaw-plugin, create a scoped agent token, bind it via IDENTITY.md, and replace your plaintext credential file with a server-enforced broker. Free for 1 agent.
Human-in-the-Loop Tool Approvals for OpenClaw
When an OpenClaw agent goes to delete a repo, refund a charge, or send a customer email, you want a human to approve it. Here's how MCP gateway approval queues turn 'agent acted on its own authority' into 'agent acted with explicit approval'.
The OpenClaw NHI Posture Checklist
Twelve concrete posture rules for production OpenClaw deployments — what good looks like, why each rule matters, and the one-line remediation when you fail it.
OpenClaw Secret Allowlists — Limit What Each Agent Can Read
An OpenClaw agent rarely needs every credential in your project. Here's how secret allowlists turn 'agent has read access' into 'agent has read access to exactly these three keys, and nothing else'.
Detecting Shadow OpenClaw Agents in Your Organisation
Someone in your engineering org has spun up an OpenClaw agent with a personal CLI token. Here's how to detect it within minutes — not at the next audit.
OpenClaw vs Claude Code — How NHI Differs Across AI Agent Frameworks
Different AI agent frameworks make different security trade-offs. Here's an honest comparison of OpenClaw and Claude Code from a Non-Human Identity perspective: what each gets right, what each leaves to the operator, and what changes you need on the credential side.
Securing OpenClaw Agents — What NHI Means in Practice
OpenClaw exposed the gap between AI agent autonomy and credential governance. Here's what changed, what didn't, and how to actually secure an OpenClaw deployment without slowing it down.
Why Plaintext .env Files Are Failing OpenClaw
In 2026, security researchers documented over 40,000 publicly exposed OpenClaw deployments leaking API keys, OAuth tokens, and cloud credentials in plaintext. The pattern is the .env file — and it's the wrong primitive for autonomous agents. Here's the news cycle, what changed, and how the credential layer needs to evolve.
Migrate Off .env Files in Under Five Minutes
secr's migration wizard and config export/import make it painless to move from dotenv files to a proper secrets manager — and to replicate project setups across environments.
See Every Machine Credential in Your Org — and Which Ones Are Overdue
secr's NHI dashboard gives you a single pane of glass for machine tokens, agent identities, security posture scoring, and external credential rotation tracking.
Share a Secret Without Sharing Your Vault
secr now supports one-time secret sharing links — encrypted, expiring, and self-destructing. Send a credential to a contractor or teammate without adding them to your org.
Your CI/CD Pipeline Has an Identity Problem
Most teams manage human access carefully but let machine credentials sprawl across pipelines, bots, and services with no audit trail. secr's Non-Human Identity management changes that.
How to Set Up Secrets for a Monorepo in 5 Minutes
Monorepos make sharing code easy but sharing secrets hard. Here's how to set up per-app, per-environment secrets with secr — without duplicating values or leaking across boundaries.
Why HashiCorp Vault Is Overkill for 90% of Teams
Vault is powerful. It's also complex, expensive to operate, and designed for problems most teams don't have. Here's when you actually need it — and when you don't.
secr vs Infisical: Which Is Right for Your Team?
secr and Infisical are both developer-focused secrets managers. Here's how they differ in architecture, developer experience, and what they're optimised for.
secr vs Doppler: An Honest Comparison
Both secr and Doppler solve secrets management — but they're built for different teams. Here's where each one shines and where it falls short.
How to Manage Secrets in Next.js Without .env
Next.js apps rely on .env.local for secrets — but those files get leaked, forgotten, and go stale. Here's how to replace them with encrypted, synced secrets using secr.
Stop Sharing .env Files Over Slack
Every day, teams paste API keys, database URLs, and tokens into Slack DMs. Here's why that's a security incident waiting to happen — and what to do instead.
Beyond Key-Value: Managing Structured Secrets with secr
When your secrets grow beyond flat API keys into multi-field credentials across regions and services, here's how to keep them organised without drowning in env vars.
Enterprise-Ready: SSO, SCIM, and Identity Management Are Live
secr now supports SAML SSO, OIDC, SCIM directory provisioning, social login, MFA, and passkeys — everything your security team needs to approve a secrets manager.
Keep Your Entire Team's Postman Environments in Sync — Automatically
secr now syncs secrets directly to Postman. Change an API key once and every engineer on your team gets it instantly — no more stale environments or Slack messages asking for the latest credentials.
Announcing secr
secr is here. A CLI-first secrets manager that replaces .env files with encrypted, synced environment variables your whole team can share.
Ready to get started?
Stop sharing secrets over Slack. Get set up in under two minutes.
Create your account