Quickstart
Get from zero to a working integration in a few minutes. Start with the CLI if you want the fastest path — one command provisions a vault, agent, access policy, and wires your AI tools (Cursor, Claude Desktop, VS Code, and more).
Install the CLI and run 1claw setup. It logs you in, creates an agent + vault + policy, and configures MCP for every AI client it detects. No manual curl, no copy-pasting API keys into config files.
brew install 1clawAI/tap/oneclaw # or: npm install -g @1claw/cli
1claw setup
When setup finishes, your AI assistant can call 1Claw tools (get_secret, list_secrets, and more) at runtime — secrets stay in the vault, not in prompts or .env files. See the CLI guide for all options (--client cursor, --local, existing agent keys).
How 1Claw works
1Claw has two roles. Humans own secrets and decide what agents can access. Agents fetch secrets at runtime through scoped, audited policies — they never get blanket vault access.
| Role | You are… | You do… | Auth |
|---|---|---|---|
| Human | Developer, operator, or team owner | Create vaults, store secrets, register agents, write policies | Email/password, Google, passkey, or personal API key (1ck_) |
| Agent | AI assistant, service, or automation | List and fetch secrets the human allowed; optionally sign txs or route LLM calls through Shroud | Agent API key (ocv_) → short-lived JWT |
Same API for both: https://api.1claw.xyz. The dashboard at 1claw.xyz is a UI on top of the same endpoints.
Pick your path
| Goal | Fastest route | Steps |
|---|---|---|
| AI assistant with vault access (Cursor, Claude, etc.) | 1claw setup | 1 command |
| Store secrets as a human (scripts, apps, CI) | Human path | 3–4 steps |
| Agent fetching secrets (service, LangChain, custom code) | Agent path | 2–4 steps |
| Human grants agent access end-to-end | Golden path or 1claw setup | 4 steps |
| No cloud / offline secrets | 1claw init --docker --local or local vault | See CLI |
Fastest: CLI setup
Best for: Cursor, Claude Desktop, Claude Code, VS Code, Windsurf, Zed, Continue — any tool that supports MCP.
brew install 1clawAI/tap/oneclaw
1claw setup
What setup does in one flow:
- Login — browser device flow at 1claw.xyz (no password in terminal)
- Provision — agent (Shroud + Intents enabled), vault, and read/write policy on
secrets/* - Configure — writes MCP config for each detected AI client
Already have an agent key? Skip provisioning:
1claw setup --agent-key ocv_YOUR_KEY
Import existing .env secrets:
1claw login
1claw vault create my-vault # or use default from setup
1claw import .env --vault <vault-id>
Run a command with secrets injected (CI/CD):
export ONECLAW_TOKEN="..." # or ONECLAW_API_KEY + ONECLAW_VAULT_ID
1claw env run -- npm start
Full command reference: CLI guide.
Human path: store and use secrets
You own the vault. Sign up, create a vault, store a secret, read it back.
Option A — CLI (fewest steps)
1claw login
1claw vault create "My Vault"
1claw secret set api-keys/openai --value "sk-proj-..." --type api_key
1claw secret get api-keys/openai
Option B — Dashboard
- Sign up at 1claw.xyz
- Vaults → Create vault (or use the onboarding wizard)
- Secrets → Add secret at a path like
api-keys/openai - Optional: Agents → Register agent and Policies → Grant access
Option C — REST API / SDK
Step-by-step curl and TypeScript examples: Quickstart for humans.
Agent path: fetch secrets at runtime
An agent only sees what a human allowed. Zero access by default until a policy grants specific paths.
How an agent gets credentials
| Method | Who initiates | When to use |
|---|---|---|
| Human registers agent | You in dashboard or 1claw agent create | You control provisioning; share ocv_ key once |
| Self-enrollment | Agent calls POST /v1/agents/enroll | Agent-first flows; human approves via email or link |
1claw setup | CLI during setup | Fastest when wiring an AI client |
Minimal agent flow (already have ocv_ key)
# Exchange key for JWT (CLI handles refresh automatically in scripts)
1claw agent token <agent-id>
# Or with curl — see full guide
curl -X POST https://api.1claw.xyz/v1/auth/agent-token \
-H "Content-Type: application/json" \
-d '{"api_key":"ocv_..."}'
Then list and fetch secrets the policy allows (metadata vs decrypted value):
1claw secret list --vault <vault-id> # as agent: set ONECLAW_AGENT_API_KEY
Full walkthrough (enroll, token, list, fetch, share back): Quickstart for agents.
An agent with an API key but no policy gets zero secrets. After creating an agent, always add a policy (dashboard, 1claw policy create, or let 1claw setup do it). See Give an agent access.
Ways to integrate
Choose the interface that matches where your code runs:
| Integration | Best for | Get started |
|---|---|---|
| CLI | Fastest onboarding, CI/CD, env run, local daemon | 1claw setup |
| Dashboard | Visual setup, policies, audit log, billing | Sign up → onboarding wizard |
| MCP Server | AI assistants (Claude, Cursor, GPT) calling vault tools | 1claw setup or MCP setup |
| TypeScript SDK | Node.js apps, agents, platform backends | npm install @1claw/sdk |
| REST API | Any language, curl, Postman | Human or Agent quickstart |
| Shroud proxy | LLM traffic — redaction, injection detection, vault-backed provider keys | 1claw proxy or agent with Shroud enabled |
| Intents API | On-chain signing without exposing private keys | Enable on agent → 1claw agent tx submit |
| Local vault + daemon | Offline dev, secret never in model context | 1claw local init → 1claw setup --local |
| Docker agent runtime | Isolated agent in a container, chat UI on :3000 | 1claw init --docker |
Common integration patterns
1. AI coding assistant (recommended)
1claw setup --client cursor # or omit --client for all detected tools
Agent uses MCP tools at runtime; you manage secrets in the vault via dashboard or CLI.
2. Application / backend service
Use the SDK or REST API with a personal API key (1ck_) for human operations, or an agent key (ocv_) for automated fetch. See JavaScript SDK.
3. CI/CD pipeline
export ONECLAW_TOKEN="${{ secrets.ONECLAW_TOKEN }}"
1claw env pull -o .env.production
npm run deploy
4. LLM app with guardrails
Enable Shroud on the agent, store provider keys in the vault, point requests at https://shroud.1claw.xyz. See Shroud and IDE setup.
5. On-chain agent
Enable Intents API, provision signing keys, set transaction guardrails in the dashboard. See Intents API.
End-to-end in four steps (human + agent)
The shortest manual path if you are not using 1claw setup:
- Sign up — 1claw.xyz or
1claw login - Vault + secret —
1claw vault create+1claw secret set …(or dashboard) - Agent + policy —
1claw agent create my-agent+1claw policy create …(or golden path guide) - Connect — MCP via
1claw setup, SDK in your app, or1claw agent token+ API calls
Prerequisites
| Requirement | Details |
|---|---|
| Account | Free tier at 1claw.xyz — 1,000 requests/month, 3 vaults, 2 agents |
| CLI | Node 20+ for npm install -g @1claw/cli, or Homebrew tap above |
| API base URL | https://api.1claw.xyz |
| curl / HTTP client | Only needed if you skip the CLI and follow the REST quickstarts |
Next steps
- Quickstart for humans — REST/SDK vault CRUD in detail
- Quickstart for agents — enroll, token exchange, fetch secrets
- Give an agent access — golden path with policies
- Parts of 1Claw — Vault, Shroud, Intents, and all interfaces
- CLI — full command reference, Docker runtime, local daemon
- MCP overview — tools your AI assistant can call
- Examples repo — Basic and LangChain samples