The script:
1. Shows ONE macOS popup — user pastes all keys in any format
2. Local Python regex parses key-value pairs (no AI, no network)
3. Confirmation popup: "Found 3 keys: X, Y, Z — Store all?"
4. ONE `openclaw config set` batch → ONE gateway restart
5. Keys never appear in chat, logs, or shell history

### Supported input formats:
- `key_name: value` or `key_name = value`
- `KEY_NAME=value`
- Bare tokens on separate lines (auto-labeled in order)
- Mixed formats in one paste

---

## Storing a Key (v3 — Zero Exposure)

**Use the v3 script.** The agent NEVER sees the key. The script handles popup + storage directly.

The script:
1. Shows macOS popup (hidden input)
2. Calls `openclaw config set` for each path
3. Restarts gateway
4. Returns ONLY "OK" or "ERROR" — key never appears in agent output or chat history

### Legacy Method (v2 — agent sees key, NOT recommended)

**Step 1:** Launch the secure input popup. On macOS:

**Step 2:** Once you have the key value (from stdout of the script), store it via gateway config.patch.

Example for OpenAI:

**Critical rules:**
- NEVER echo, print, or include any key value in chat messages or tool call arguments
- NEVER include key values in the `reason` field of config.patch
- If a user pastes a key directly in chat, store it immediately and tell them to delete the message
- The secure_input_mac.sh script outputs the key to stdout — capture it in a variable, use it in config.patch, never log it

## Listing Keys

Read from the live config using `gateway config.get`. Show masked values only (first 4 chars + ****).
Parse the config JSON and find all `apiKey` fields, display their config path and masked value.

## Testing a Key

Test endpoints:
- **OpenAI**: `curl -s -H "Authorization: Bearer $KEY" https://api.openai.com/v1/models | head`
- **ElevenLabs**: `curl -s -H "xi-api-key: $KEY" https://api.elevenlabs.io/v1/user`
- **Anthropic**: `curl -s -H "x-api-key: $KEY" -H "anthropic-version: 2023-06-01" https://api.anthropic.com/v1/messages -d '{"model":"claude-3-haiku-20240307","max_tokens":1,"messages":[{"role":"user","content":"hi"}]}'`
- **Brave Search**: `curl -s -H "X-Subscription-Token: $KEY" "https://api.search.brave.com/res/v1/web/search?q=test&count=1"`

Source the key from the config (via gateway config.get), test it, report result. Never show the key.

## Deleting a Key

Use `gateway config.patch` to set the key value to an empty string or remove the entry.

## 💎 Paid Tier (Coming Soon)

ipeaky core is free forever. A paid tier is in development with premium features:

- **Team key sharing** — Role-based access across team members
- **Key rotation reminders** — Automated expiry alerts
- **Usage analytics** — Track key usage across skills
- **Breach monitoring** — Leak database notifications
- **Cross-platform** — Linux & Windows secure input
- **Backup & sync** — Encrypted cloud backup

See `paid_tier/README-paid.md` for details. Billing is powered by Stripe.

# X API keys (consumer key + secret + bearer in one paste)
bash {baseDir}/scripts/store_key_v4.sh "X API" "skills.entries.x-twitter.env"

# Any service — user pastes in any format:
#   consumer key: abc123
#   secret: xyz789
#   bearer token: AAAA...

# Brave Search
bash {baseDir}/scripts/store_key_v3.sh "Brave Search" "tools.web.search.apiKey"

# OpenAI (multiple paths)
bash {baseDir}/scripts/store_key_v3.sh "OpenAI" "skills.entries.openai-whisper-api.apiKey"

# ElevenLabs (sag + talk)
bash {baseDir}/scripts/store_key_v3.sh "ElevenLabs" "skills.entries.sag.apiKey" "talk.apiKey"

# Set up Stripe integration (uses ipeaky to store its own key!)
bash {baseDir}/paid_tier/stripe-setup.sh

# Create a checkout session
bash {baseDir}/paid_tier/stripe-checkout.sh --price price_XXXXX --mode subscription