Branch off your dev environment to create an isolated config so you control the agent's blast radius.
Branch configs are prefixed with the environment slug. dev_agent_openclaw lives under dev and inherits from its root unless you override.
Scope it down so if the task needs one API key, add one API key. OpenClaw is a multi-provider gateway, so use the key for whichever provider you've configured.
Do not let the agent populate or modify its own secrets. A human decides what goes in this config; the token in the next step is read-only, so the agent can't write back.
Bound to this one config, with an expiration so a leaked token dies on its own. Capture it into an environment variable so the next steps can reference it without pasting the raw value around.
Service tokens are read-only by default. The agent can fetch secrets, but never change them. This is the agent's identity.
Bind the agent's token to a single directory so the CLI only uses it there. Run this from the folder OpenClaw will work in.
The --scope . flag locks the token to the current directory. Any doppler command run inside that folder - the doppler run launch below, the Option B on-demand resolver calls, and anything OpenClaw itself invokes - resolves with this scoped agent token and never your personal CLI token.
Note: Run the agent in a sandbox scoped to that directory. And proceed with caution on production workloads: a non-deterministic agent with live credentials is real blast radius, so keep it pointed at dev/test configs unless you have a specific reason not to.
Option A: wrap it (standard pattern). Inject the config's secrets as environment variables for the whole session:
Option B: Native secret references (resolve on demand). OpenClaw's secret-reference exec provider resolves a credential by shelling out to a command. Point it at the Doppler CLI so secrets are fetched at the moment of use rather than held in the environment for the whole session:
Configure that as the resolver for the matching reference in OpenClaw, and the credential is pulled just-in-time, a tighter exposure window than env injection, useful for the most sensitive keys. Option A is the simplest. Option B gives you per-secret, just-in-time resolution. Either way, the token stays read-only and config-scoped.
Steps 1-6 give OpenClaw the credentials it runs with. The MCP server lets OpenClaw see and operate Doppler itself: list projects, inspect a config, and understand the secret layout before depending on it.
Alternatively, authenticate once with npx @dopplerhq/mcp-server login (or register it via the CLI: openclaw mcp add doppler --command npx --arg -y --arg @dopplerhq/mcp-server --arg --read-only). Reload the gateway after changes (openclaw gateway restart).
Trusted by the world’s best DevOps and security teams. Doppler is the secrets manager developers love.
